Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Ppto.24265.exe

Overview

General Information

Sample name:Ppto.24265.exe
Analysis ID:1545384
MD5:e1950e5f53b57caa57a7d2fa03f82b3d
SHA1:fe3515a0b99aea3b2bdeed2493662ea7ed3e4ca2
SHA256:3b9e1f0340918787ead7bbf5e5ac6415c392963f046f948fe39e522df43e1ab3
Tags:exeuser-malwarelabnet
Infos:

Detection

FormBook, GuLoader
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected FormBook
Yara detected GuLoader
AI detected suspicious sample
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
PE / OLE file has an invalid certificate
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Ppto.24265.exe (PID: 5560 cmdline: "C:\Users\user\Desktop\Ppto.24265.exe" MD5: E1950E5F53B57CAA57A7D2FA03F82B3D)
    • Ppto.24265.exe (PID: 4648 cmdline: "C:\Users\user\Desktop\Ppto.24265.exe" MD5: E1950E5F53B57CAA57A7D2FA03F82B3D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.3193311561.0000000035CC0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000000.00000002.2405366164.00000000056C7000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

      Sigma Signatures

      No Sigma rule has matched

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-10-30T14:21:48.110475+010028032702Potentially Bad Traffic192.168.2.861702142.250.185.238443TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Yara detected FormBook
      Source: Yara matchFile source: 00000005.00000002.3193311561.0000000035CC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
      Source: Ppto.24265.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: unknownHTTPS traffic detected: 142.250.185.238:443 -> 192.168.2.8:61702 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.217.16.193:443 -> 192.168.2.8:61703 version: TLS 1.2
      Source: Ppto.24265.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: Binary string: mshtml.pdb source: Ppto.24265.exe, 00000005.00000001.2403920361.0000000000649000.00000020.00000001.01000000.00000007.sdmp
      Source: Binary string: wntdll.pdbUGP source: Ppto.24265.exe, 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmp, Ppto.24265.exe, 00000005.00000003.2836530497.0000000035E77000.00000004.00000020.00020000.00000000.sdmp, Ppto.24265.exe, 00000005.00000003.2834258199.0000000035CCB000.00000004.00000020.00020000.00000000.sdmp, Ppto.24265.exe, 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp
      Source: Binary string: wntdll.pdb source: Ppto.24265.exe, Ppto.24265.exe, 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmp, Ppto.24265.exe, 00000005.00000003.2836530497.0000000035E77000.00000004.00000020.00020000.00000000.sdmp, Ppto.24265.exe, 00000005.00000003.2834258199.0000000035CCB000.00000004.00000020.00020000.00000000.sdmp, Ppto.24265.exe, 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp
      Source: Binary string: mshtml.pdbUGP source: Ppto.24265.exe, 00000005.00000001.2403920361.0000000000649000.00000020.00000001.01000000.00000007.sdmp
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 0_2_0040603A FindFirstFileA,FindClose,0_2_0040603A
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 0_2_004055F6 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_004055F6
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 0_2_00402645 FindFirstFileA,0_2_00402645
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.8:61702 -> 142.250.185.238:443
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1HjhLFhBl9QJWRF-emMzs9wHbwEMU7xFm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /download?id=1HjhLFhBl9QJWRF-emMzs9wHbwEMU7xFm&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1HjhLFhBl9QJWRF-emMzs9wHbwEMU7xFm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /download?id=1HjhLFhBl9QJWRF-emMzs9wHbwEMU7xFm&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
      Source: global trafficDNS traffic detected: DNS query: drive.google.com
      Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
      Source: Ppto.24265.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
      Source: Ppto.24265.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
      Source: Ppto.24265.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
      Source: Ppto.24265.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
      Source: Ppto.24265.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
      Source: Ppto.24265.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
      Source: Ppto.24265.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
      Source: Ppto.24265.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
      Source: Ppto.24265.exeString found in binary or memory: http://ocsp.digicert.com0A
      Source: Ppto.24265.exeString found in binary or memory: http://ocsp.digicert.com0C
      Source: Ppto.24265.exeString found in binary or memory: http://ocsp.digicert.com0X
      Source: Ppto.24265.exe, 00000005.00000001.2403920361.0000000000649000.00000020.00000001.01000000.00000007.sdmpString found in binary or memory: http://www.ftp.ftp://ftp.gopher.
      Source: Ppto.24265.exe, 00000005.00000001.2403920361.00000000005F2000.00000020.00000001.01000000.00000007.sdmpString found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
      Source: Ppto.24265.exe, 00000005.00000001.2403920361.00000000005F2000.00000020.00000001.01000000.00000007.sdmpString found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
      Source: Ppto.24265.exe, 00000005.00000003.2564095645.0000000005F96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
      Source: Ppto.24265.exe, 00000005.00000002.3172317600.0000000005F28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
      Source: Ppto.24265.exe, 00000005.00000002.3193017150.0000000035440000.00000004.00001000.00020000.00000000.sdmp, Ppto.24265.exe, 00000005.00000002.3172317600.0000000005F28000.00000004.00000020.00020000.00000000.sdmp, Ppto.24265.exe, 00000005.00000002.3172317600.0000000005F65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1HjhLFhBl9QJWRF-emMzs9wHbwEMU7xFm
      Source: Ppto.24265.exe, 00000005.00000002.3172317600.0000000005F28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1HjhLFhBl9QJWRF-emMzs9wHbwEMU7xFmF
      Source: Ppto.24265.exe, 00000005.00000002.3172420411.0000000005F91000.00000004.00000020.00020000.00000000.sdmp, Ppto.24265.exe, 00000005.00000003.2834508031.0000000005F8A000.00000004.00000020.00020000.00000000.sdmp, Ppto.24265.exe, 00000005.00000003.2601379180.0000000005F91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
      Source: Ppto.24265.exe, 00000005.00000003.2834700214.0000000005F77000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1HjhLFhBl9QJWRF-emMzs9wHbwEMU7xFm&export=download
      Source: Ppto.24265.exe, 00000005.00000002.3172386995.0000000005F80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1HjhLFhBl9QJWRF-emMzs9wHbwEMU7xFm&export=download(
      Source: Ppto.24265.exe, 00000005.00000003.2834542832.0000000005F77000.00000004.00000020.00020000.00000000.sdmp, Ppto.24265.exe, 00000005.00000002.3172386995.0000000005F79000.00000004.00000020.00020000.00000000.sdmp, Ppto.24265.exe, 00000005.00000003.2834700214.0000000005F77000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1HjhLFhBl9QJWRF-emMzs9wHbwEMU7xFm&export=downloadV
      Source: Ppto.24265.exe, 00000005.00000002.3172420411.0000000005F91000.00000004.00000020.00020000.00000000.sdmp, Ppto.24265.exe, 00000005.00000003.2834508031.0000000005F8A000.00000004.00000020.00020000.00000000.sdmp, Ppto.24265.exe, 00000005.00000003.2601379180.0000000005F91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/t
      Source: Ppto.24265.exe, 00000005.00000001.2403920361.0000000000649000.00000020.00000001.01000000.00000007.sdmpString found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
      Source: Ppto.24265.exe, 00000005.00000003.2564095645.0000000005F96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
      Source: Ppto.24265.exe, 00000005.00000003.2564095645.0000000005F96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
      Source: Ppto.24265.exe, 00000005.00000003.2564095645.0000000005F96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
      Source: Ppto.24265.exe, 00000005.00000003.2564095645.0000000005F96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
      Source: Ppto.24265.exe, 00000005.00000003.2564095645.0000000005F96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
      Source: unknownNetwork traffic detected: HTTP traffic on port 61702 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 61702
      Source: unknownNetwork traffic detected: HTTP traffic on port 61703 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 61703
      Source: unknownHTTPS traffic detected: 142.250.185.238:443 -> 192.168.2.8:61702 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 172.217.16.193:443 -> 192.168.2.8:61703 version: TLS 1.2
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 0_2_0040515D GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,LdrInitializeThunk,SendMessageA,CreatePopupMenu,LdrInitializeThunk,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,LdrInitializeThunk,SetClipboardData,CloseClipboard,0_2_0040515D

      E-Banking Fraud

      barindex
      Yara detected FormBook
      Source: Yara matchFile source: 00000005.00000002.3193311561.0000000035CC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: C:\Users\user\Desktop\Ppto.24265.exeProcess Stats: CPU usage > 49%
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360935C0 NtCreateMutant,LdrInitializeThunk,5_2_360935C0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36092DF0 NtQuerySystemInformation,LdrInitializeThunk,5_2_36092DF0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36094650 NtSuspendThread,5_2_36094650
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36094340 NtSetContextThread,5_2_36094340
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36093010 NtOpenDirectoryObject,5_2_36093010
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36093090 NtSetValueKey,5_2_36093090
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36092E30 NtWriteVirtualMemory,5_2_36092E30
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36092E80 NtReadVirtualMemory,5_2_36092E80
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36092EA0 NtAdjustPrivilegesToken,5_2_36092EA0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36092EE0 NtQueueApcThread,5_2_36092EE0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36092F30 NtCreateSection,5_2_36092F30
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36092F60 NtCreateProcessEx,5_2_36092F60
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36092F90 NtProtectVirtualMemory,5_2_36092F90
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36092FA0 NtQuerySection,5_2_36092FA0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36092FB0 NtResumeThread,5_2_36092FB0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36092FE0 NtCreateFile,5_2_36092FE0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36092C00 NtQueryInformationProcess,5_2_36092C00
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36092C60 NtCreateKey,5_2_36092C60
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36092C70 NtFreeVirtualMemory,5_2_36092C70
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36092CA0 NtQueryInformationToken,5_2_36092CA0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36092CC0 NtQueryVirtualMemory,5_2_36092CC0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36092CF0 NtOpenProcess,5_2_36092CF0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36092D00 NtSetInformationFile,5_2_36092D00
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36092D10 NtMapViewOfSection,5_2_36092D10
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36093D10 NtOpenProcessToken,5_2_36093D10
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36092D30 NtUnmapViewOfSection,5_2_36092D30
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36093D70 NtOpenThread,5_2_36093D70
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36092DB0 NtEnumerateKey,5_2_36092DB0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36092DD0 NtDelayExecution,5_2_36092DD0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36092AB0 NtWaitForSingleObject,5_2_36092AB0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36092AD0 NtReadFile,5_2_36092AD0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36092AF0 NtWriteFile,5_2_36092AF0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36092B60 NtClose,5_2_36092B60
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36092B80 NtQueryInformationFile,5_2_36092B80
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36092BA0 NtEnumerateValueKey,5_2_36092BA0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36092BE0 NtQueryValueKey,5_2_36092BE0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36092BF0 NtAllocateVirtualMemory,5_2_36092BF0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360939B0 NtGetContextThread,5_2_360939B0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 0_2_00403217 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,LdrInitializeThunk,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,LdrInitializeThunk,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_00403217
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 0_2_0040499C0_2_0040499C
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 0_2_004063100_2_00406310
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_361116CC5_2_361116CC
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3607C6E05_2_3607C6E0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360847505_2_36084750
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360607705_2_36060770
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3611F7B05_2_3611F7B0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3605C7C05_2_3605C7C0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3611F43F5_2_3611F43F
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_361124465_2_36112446
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360514605_2_36051460
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3610E4F65_2_3610E4F6
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360605355_2_36060535
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_361175715_2_36117571
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_361205915_2_36120591
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360FD5B05_2_360FD5B0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_361002745_2_36100274
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360652A05_2_360652A0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3607B2C05_2_3607B2C0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_361012ED5_2_361012ED
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3611132D5_2_3611132D
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3611A3525_2_3611A352
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3604D34C5_2_3604D34C
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360A739A5_2_360A739A
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_361203E65_2_361203E6
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3606E3F05_2_3606E3F0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360670C05_2_360670C0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3610F0CC5_2_3610F0CC
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3611F0E05_2_3611F0E0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_361170E95_2_361170E9
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360501005_2_36050100
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360FA1185_2_360FA118
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360E81585_2_360E8158
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3609516C5_2_3609516C
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3604F1725_2_3604F172
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3612B16B5_2_3612B16B
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3606B1B05_2_3606B1B0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_361201AA5_2_361201AA
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_361181CC5_2_361181CC
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3611EE265_2_3611EE26
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36060E595_2_36060E59
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3611CE935_2_3611CE93
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36072E905_2_36072E90
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36069EB05_2_36069EB0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3611EEDB5_2_3611EEDB
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3611FF095_2_3611FF09
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360A2F285_2_360A2F28
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36080F305_2_36080F30
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360D4F405_2_360D4F40
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36061F925_2_36061F92
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3611FFB15_2_3611FFB1
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36052FC85_2_36052FC8
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3606CFE05_2_3606CFE0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36060C005_2_36060C00
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360D9C325_2_360D9C32
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36100CB55_2_36100CB5
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3611FCF25_2_3611FCF2
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36050CF25_2_36050CF2
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3606AD005_2_3606AD00
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36063D405_2_36063D40
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36111D5A5_2_36111D5A
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36117D735_2_36117D73
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36078DBF5_2_36078DBF
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3607FDC05_2_3607FDC0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3605ADE05_2_3605ADE0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36117A465_2_36117A46
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3611FA495_2_3611FA49
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360D3A6C5_2_360D3A6C
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3605EA805_2_3605EA80
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360FDAAC5_2_360FDAAC
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360A5AA05_2_360A5AA0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3610DAC65_2_3610DAC6
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3611AB405_2_3611AB40
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3611FB765_2_3611FB76
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3607FB805_2_3607FB80
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36116BD75_2_36116BD7
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3609DBF95_2_3609DBF9
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360D5BF05_2_360D5BF0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360CD8005_2_360CD800
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360628405_2_36062840
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3606A8405_2_3606A840
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360468B85_2_360468B8
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360638E05_2_360638E0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3608E8F05_2_3608E8F0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360699505_2_36069950
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3607B9505_2_3607B950
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360769625_2_36076962
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360629A05_2_360629A0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3612A9A65_2_3612A9A6
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: String function: 3604B970 appears 268 times
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: String function: 36095130 appears 36 times
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: String function: 360CEA12 appears 86 times
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: String function: 360A7E54 appears 96 times
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: String function: 360DF290 appears 105 times
      Source: Ppto.24265.exeStatic PE information: invalid certificate
      Source: Ppto.24265.exe, 00000005.00000002.3193345971.00000000362F1000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Ppto.24265.exe
      Source: Ppto.24265.exe, 00000005.00000003.2834258199.0000000035DEE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Ppto.24265.exe
      Source: Ppto.24265.exe, 00000005.00000003.2836530497.0000000035FA4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Ppto.24265.exe
      Source: Ppto.24265.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: classification engineClassification label: mal68.troj.evad.winEXE@3/12@2/2
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 0_2_0040442A GetDlgItem,SetWindowTextA,LdrInitializeThunk,LdrInitializeThunk,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_0040442A
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 0_2_00402036 LdrInitializeThunk,CoCreateInstance,MultiByteToWideChar,LdrInitializeThunk,0_2_00402036
      Source: C:\Users\user\Desktop\Ppto.24265.exeFile created: C:\Users\user\colombiansJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeFile created: C:\Users\user\AppData\Local\Temp\nsaC28E.tmpJump to behavior
      Source: Ppto.24265.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\Ppto.24265.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeFile read: C:\Users\user\Desktop\Ppto.24265.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\Ppto.24265.exe "C:\Users\user\Desktop\Ppto.24265.exe"
      Source: C:\Users\user\Desktop\Ppto.24265.exeProcess created: C:\Users\user\Desktop\Ppto.24265.exe "C:\Users\user\Desktop\Ppto.24265.exe"
      Source: C:\Users\user\Desktop\Ppto.24265.exeProcess created: C:\Users\user\Desktop\Ppto.24265.exe "C:\Users\user\Desktop\Ppto.24265.exe"Jump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: shfolder.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: riched20.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: usp10.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: msls31.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: craik.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: wkscli.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeFile written: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\unportentously.iniJump to behavior
      Source: Ppto.24265.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: Binary string: mshtml.pdb source: Ppto.24265.exe, 00000005.00000001.2403920361.0000000000649000.00000020.00000001.01000000.00000007.sdmp
      Source: Binary string: wntdll.pdbUGP source: Ppto.24265.exe, 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmp, Ppto.24265.exe, 00000005.00000003.2836530497.0000000035E77000.00000004.00000020.00020000.00000000.sdmp, Ppto.24265.exe, 00000005.00000003.2834258199.0000000035CCB000.00000004.00000020.00020000.00000000.sdmp, Ppto.24265.exe, 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp
      Source: Binary string: wntdll.pdb source: Ppto.24265.exe, Ppto.24265.exe, 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmp, Ppto.24265.exe, 00000005.00000003.2836530497.0000000035E77000.00000004.00000020.00020000.00000000.sdmp, Ppto.24265.exe, 00000005.00000003.2834258199.0000000035CCB000.00000004.00000020.00020000.00000000.sdmp, Ppto.24265.exe, 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp
      Source: Binary string: mshtml.pdbUGP source: Ppto.24265.exe, 00000005.00000001.2403920361.0000000000649000.00000020.00000001.01000000.00000007.sdmp

      Data Obfuscation

      barindex
      Yara detected GuLoader
      Source: Yara matchFile source: 00000000.00000002.2405366164.00000000056C7000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 0_2_00406061 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00406061
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 0_2_10002D30 push eax; ret 0_2_10002D5E
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360509AD push ecx; mov dword ptr [esp], ecx5_2_360509B6
      Source: C:\Users\user\Desktop\Ppto.24265.exeFile created: C:\Users\user\AppData\Local\Temp\nsv5087.tmp\System.dllJump to dropped file
      Source: C:\Users\user\Desktop\Ppto.24265.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Switches to a custom stack to bypass stack traces
      Source: C:\Users\user\Desktop\Ppto.24265.exeAPI/Special instruction interceptor: Address: 5987F9E
      Source: C:\Users\user\Desktop\Ppto.24265.exeAPI/Special instruction interceptor: Address: 24C7F9E
      Tries to detect virtualization through RDTSC time measurements
      Source: C:\Users\user\Desktop\Ppto.24265.exeRDTSC instruction interceptor: First address: 5925679 second address: 5925679 instructions: 0x00000000 rdtsc 0x00000002 test edx, edx 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F56C073E813h 0x00000008 cmp cl, dl 0x0000000a cmp bl, cl 0x0000000c inc ebp 0x0000000d inc ebx 0x0000000e clc 0x0000000f rdtsc
      Source: C:\Users\user\Desktop\Ppto.24265.exeRDTSC instruction interceptor: First address: 2465679 second address: 2465679 instructions: 0x00000000 rdtsc 0x00000002 test edx, edx 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F56C10FD1B3h 0x00000008 cmp cl, dl 0x0000000a cmp bl, cl 0x0000000c inc ebp 0x0000000d inc ebx 0x0000000e clc 0x0000000f rdtsc
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360CD1C0 rdtsc 5_2_360CD1C0
      Source: C:\Users\user\Desktop\Ppto.24265.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsv5087.tmp\System.dllJump to dropped file
      Source: C:\Users\user\Desktop\Ppto.24265.exeAPI coverage: 0.1 %
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 0_2_0040603A FindFirstFileA,FindClose,0_2_0040603A
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 0_2_004055F6 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_004055F6
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 0_2_00402645 FindFirstFileA,0_2_00402645
      Source: Ppto.24265.exe, 00000005.00000002.3172386995.0000000005F80000.00000004.00000020.00020000.00000000.sdmp, Ppto.24265.exe, 00000005.00000003.2834700214.0000000005F80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWf
      Source: Ppto.24265.exe, 00000005.00000002.3172386995.0000000005F80000.00000004.00000020.00020000.00000000.sdmp, Ppto.24265.exe, 00000005.00000003.2834700214.0000000005F80000.00000004.00000020.00020000.00000000.sdmp, Ppto.24265.exe, 00000005.00000002.3172317600.0000000005F28000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: Ppto.24265.exe, 00000000.00000002.2404383003.00000000005E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f
      Source: C:\Users\user\Desktop\Ppto.24265.exeAPI call chain: ExitProcess graph end nodegraph_0-4261
      Source: C:\Users\user\Desktop\Ppto.24265.exeAPI call chain: ExitProcess graph end nodegraph_0-4427
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360CD1C0 rdtsc 5_2_360CD1C0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 0_2_00401F68 LdrInitializeThunk,GetModuleHandleA,LoadLibraryExA,GetProcAddress,FreeLibrary,0_2_00401F68
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 0_2_00406061 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00406061
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360CE609 mov eax, dword ptr fs:[00000030h]5_2_360CE609
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3608F603 mov eax, dword ptr fs:[00000030h]5_2_3608F603
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3606260B mov eax, dword ptr fs:[00000030h]5_2_3606260B
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3606260B mov eax, dword ptr fs:[00000030h]5_2_3606260B
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3606260B mov eax, dword ptr fs:[00000030h]5_2_3606260B
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3606260B mov eax, dword ptr fs:[00000030h]5_2_3606260B
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3606260B mov eax, dword ptr fs:[00000030h]5_2_3606260B
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3606260B mov eax, dword ptr fs:[00000030h]5_2_3606260B
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3606260B mov eax, dword ptr fs:[00000030h]5_2_3606260B
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36081607 mov eax, dword ptr fs:[00000030h]5_2_36081607
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36092619 mov eax, dword ptr fs:[00000030h]5_2_36092619
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36053616 mov eax, dword ptr fs:[00000030h]5_2_36053616
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36053616 mov eax, dword ptr fs:[00000030h]5_2_36053616
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3606E627 mov eax, dword ptr fs:[00000030h]5_2_3606E627
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3604F626 mov eax, dword ptr fs:[00000030h]5_2_3604F626
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3604F626 mov eax, dword ptr fs:[00000030h]5_2_3604F626
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3604F626 mov eax, dword ptr fs:[00000030h]5_2_3604F626
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3604F626 mov eax, dword ptr fs:[00000030h]5_2_3604F626
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3604F626 mov eax, dword ptr fs:[00000030h]5_2_3604F626
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3604F626 mov eax, dword ptr fs:[00000030h]5_2_3604F626
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3604F626 mov eax, dword ptr fs:[00000030h]5_2_3604F626
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3604F626 mov eax, dword ptr fs:[00000030h]5_2_3604F626
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3604F626 mov eax, dword ptr fs:[00000030h]5_2_3604F626
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36125636 mov eax, dword ptr fs:[00000030h]5_2_36125636
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36086620 mov eax, dword ptr fs:[00000030h]5_2_36086620
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36088620 mov eax, dword ptr fs:[00000030h]5_2_36088620
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3605262C mov eax, dword ptr fs:[00000030h]5_2_3605262C
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3606C640 mov eax, dword ptr fs:[00000030h]5_2_3606C640
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3608A660 mov eax, dword ptr fs:[00000030h]5_2_3608A660
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3608A660 mov eax, dword ptr fs:[00000030h]5_2_3608A660
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36089660 mov eax, dword ptr fs:[00000030h]5_2_36089660
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36089660 mov eax, dword ptr fs:[00000030h]5_2_36089660
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36082674 mov eax, dword ptr fs:[00000030h]5_2_36082674
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3611866E mov eax, dword ptr fs:[00000030h]5_2_3611866E
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3611866E mov eax, dword ptr fs:[00000030h]5_2_3611866E
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360D368C mov eax, dword ptr fs:[00000030h]5_2_360D368C
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360D368C mov eax, dword ptr fs:[00000030h]5_2_360D368C
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360D368C mov eax, dword ptr fs:[00000030h]5_2_360D368C
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360D368C mov eax, dword ptr fs:[00000030h]5_2_360D368C
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36054690 mov eax, dword ptr fs:[00000030h]5_2_36054690
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36054690 mov eax, dword ptr fs:[00000030h]5_2_36054690
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3604D6AA mov eax, dword ptr fs:[00000030h]5_2_3604D6AA
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3604D6AA mov eax, dword ptr fs:[00000030h]5_2_3604D6AA
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3608C6A6 mov eax, dword ptr fs:[00000030h]5_2_3608C6A6
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360476B2 mov eax, dword ptr fs:[00000030h]5_2_360476B2
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360476B2 mov eax, dword ptr fs:[00000030h]5_2_360476B2
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360476B2 mov eax, dword ptr fs:[00000030h]5_2_360476B2
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360866B0 mov eax, dword ptr fs:[00000030h]5_2_360866B0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3605B6C0 mov eax, dword ptr fs:[00000030h]5_2_3605B6C0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3605B6C0 mov eax, dword ptr fs:[00000030h]5_2_3605B6C0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3605B6C0 mov eax, dword ptr fs:[00000030h]5_2_3605B6C0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3605B6C0 mov eax, dword ptr fs:[00000030h]5_2_3605B6C0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3605B6C0 mov eax, dword ptr fs:[00000030h]5_2_3605B6C0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3605B6C0 mov eax, dword ptr fs:[00000030h]5_2_3605B6C0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360816CF mov eax, dword ptr fs:[00000030h]5_2_360816CF
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3608A6C7 mov ebx, dword ptr fs:[00000030h]5_2_3608A6C7
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3608A6C7 mov eax, dword ptr fs:[00000030h]5_2_3608A6C7
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3610F6C7 mov eax, dword ptr fs:[00000030h]5_2_3610F6C7
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_361116CC mov eax, dword ptr fs:[00000030h]5_2_361116CC
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_361116CC mov eax, dword ptr fs:[00000030h]5_2_361116CC
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_361116CC mov eax, dword ptr fs:[00000030h]5_2_361116CC
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_361116CC mov eax, dword ptr fs:[00000030h]5_2_361116CC
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3610D6F0 mov eax, dword ptr fs:[00000030h]5_2_3610D6F0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360E36EE mov eax, dword ptr fs:[00000030h]5_2_360E36EE
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360E36EE mov eax, dword ptr fs:[00000030h]5_2_360E36EE
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360E36EE mov eax, dword ptr fs:[00000030h]5_2_360E36EE
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360E36EE mov eax, dword ptr fs:[00000030h]5_2_360E36EE
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360E36EE mov eax, dword ptr fs:[00000030h]5_2_360E36EE
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360E36EE mov eax, dword ptr fs:[00000030h]5_2_360E36EE
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3607D6E0 mov eax, dword ptr fs:[00000030h]5_2_3607D6E0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3607D6E0 mov eax, dword ptr fs:[00000030h]5_2_3607D6E0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360836EF mov eax, dword ptr fs:[00000030h]5_2_360836EF
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360D06F1 mov eax, dword ptr fs:[00000030h]5_2_360D06F1
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360D06F1 mov eax, dword ptr fs:[00000030h]5_2_360D06F1
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360CE6F2 mov eax, dword ptr fs:[00000030h]5_2_360CE6F2
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360CE6F2 mov eax, dword ptr fs:[00000030h]5_2_360CE6F2
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360CE6F2 mov eax, dword ptr fs:[00000030h]5_2_360CE6F2
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360CE6F2 mov eax, dword ptr fs:[00000030h]5_2_360CE6F2
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36057703 mov eax, dword ptr fs:[00000030h]5_2_36057703
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36055702 mov eax, dword ptr fs:[00000030h]5_2_36055702
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36055702 mov eax, dword ptr fs:[00000030h]5_2_36055702
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3608C700 mov eax, dword ptr fs:[00000030h]5_2_3608C700
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36050710 mov eax, dword ptr fs:[00000030h]5_2_36050710
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3608F71F mov eax, dword ptr fs:[00000030h]5_2_3608F71F
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3608F71F mov eax, dword ptr fs:[00000030h]5_2_3608F71F
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36080710 mov eax, dword ptr fs:[00000030h]5_2_36080710
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36053720 mov eax, dword ptr fs:[00000030h]5_2_36053720
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3606F720 mov eax, dword ptr fs:[00000030h]5_2_3606F720
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3606F720 mov eax, dword ptr fs:[00000030h]5_2_3606F720
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3606F720 mov eax, dword ptr fs:[00000030h]5_2_3606F720
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3608C720 mov eax, dword ptr fs:[00000030h]5_2_3608C720
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3608C720 mov eax, dword ptr fs:[00000030h]5_2_3608C720
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3612B73C mov eax, dword ptr fs:[00000030h]5_2_3612B73C
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3612B73C mov eax, dword ptr fs:[00000030h]5_2_3612B73C
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3612B73C mov eax, dword ptr fs:[00000030h]5_2_3612B73C
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3612B73C mov eax, dword ptr fs:[00000030h]5_2_3612B73C
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3608273C mov eax, dword ptr fs:[00000030h]5_2_3608273C
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3608273C mov ecx, dword ptr fs:[00000030h]5_2_3608273C
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3608273C mov eax, dword ptr fs:[00000030h]5_2_3608273C
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36049730 mov eax, dword ptr fs:[00000030h]5_2_36049730
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36049730 mov eax, dword ptr fs:[00000030h]5_2_36049730
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3611972B mov eax, dword ptr fs:[00000030h]5_2_3611972B
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360CC730 mov eax, dword ptr fs:[00000030h]5_2_360CC730
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36085734 mov eax, dword ptr fs:[00000030h]5_2_36085734
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3610F72E mov eax, dword ptr fs:[00000030h]5_2_3610F72E
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3605973A mov eax, dword ptr fs:[00000030h]5_2_3605973A
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3605973A mov eax, dword ptr fs:[00000030h]5_2_3605973A
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3608674D mov esi, dword ptr fs:[00000030h]5_2_3608674D
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3608674D mov eax, dword ptr fs:[00000030h]5_2_3608674D
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3608674D mov eax, dword ptr fs:[00000030h]5_2_3608674D
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36063740 mov eax, dword ptr fs:[00000030h]5_2_36063740
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36063740 mov eax, dword ptr fs:[00000030h]5_2_36063740
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36063740 mov eax, dword ptr fs:[00000030h]5_2_36063740
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360DE75D mov eax, dword ptr fs:[00000030h]5_2_360DE75D
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36050750 mov eax, dword ptr fs:[00000030h]5_2_36050750
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360D4755 mov eax, dword ptr fs:[00000030h]5_2_360D4755
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36092750 mov eax, dword ptr fs:[00000030h]5_2_36092750
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36092750 mov eax, dword ptr fs:[00000030h]5_2_36092750
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36123749 mov eax, dword ptr fs:[00000030h]5_2_36123749
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3604B765 mov eax, dword ptr fs:[00000030h]5_2_3604B765
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3604B765 mov eax, dword ptr fs:[00000030h]5_2_3604B765
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3604B765 mov eax, dword ptr fs:[00000030h]5_2_3604B765
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3604B765 mov eax, dword ptr fs:[00000030h]5_2_3604B765
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36058770 mov eax, dword ptr fs:[00000030h]5_2_36058770
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36060770 mov eax, dword ptr fs:[00000030h]5_2_36060770
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36060770 mov eax, dword ptr fs:[00000030h]5_2_36060770
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36060770 mov eax, dword ptr fs:[00000030h]5_2_36060770
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36060770 mov eax, dword ptr fs:[00000030h]5_2_36060770
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36060770 mov eax, dword ptr fs:[00000030h]5_2_36060770
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36060770 mov eax, dword ptr fs:[00000030h]5_2_36060770
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36060770 mov eax, dword ptr fs:[00000030h]5_2_36060770
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36060770 mov eax, dword ptr fs:[00000030h]5_2_36060770
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36060770 mov eax, dword ptr fs:[00000030h]5_2_36060770
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36060770 mov eax, dword ptr fs:[00000030h]5_2_36060770
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36060770 mov eax, dword ptr fs:[00000030h]5_2_36060770
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36060770 mov eax, dword ptr fs:[00000030h]5_2_36060770
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3610F78A mov eax, dword ptr fs:[00000030h]5_2_3610F78A
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360DF7AF mov eax, dword ptr fs:[00000030h]5_2_360DF7AF
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360DF7AF mov eax, dword ptr fs:[00000030h]5_2_360DF7AF
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360DF7AF mov eax, dword ptr fs:[00000030h]5_2_360DF7AF
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360DF7AF mov eax, dword ptr fs:[00000030h]5_2_360DF7AF
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360DF7AF mov eax, dword ptr fs:[00000030h]5_2_360DF7AF
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_361237B6 mov eax, dword ptr fs:[00000030h]5_2_361237B6
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360D97A9 mov eax, dword ptr fs:[00000030h]5_2_360D97A9
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360507AF mov eax, dword ptr fs:[00000030h]5_2_360507AF
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3607D7B0 mov eax, dword ptr fs:[00000030h]5_2_3607D7B0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3604F7BA mov eax, dword ptr fs:[00000030h]5_2_3604F7BA
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3604F7BA mov eax, dword ptr fs:[00000030h]5_2_3604F7BA
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3604F7BA mov eax, dword ptr fs:[00000030h]5_2_3604F7BA
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3604F7BA mov eax, dword ptr fs:[00000030h]5_2_3604F7BA
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3604F7BA mov eax, dword ptr fs:[00000030h]5_2_3604F7BA
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3604F7BA mov eax, dword ptr fs:[00000030h]5_2_3604F7BA
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3604F7BA mov eax, dword ptr fs:[00000030h]5_2_3604F7BA
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3604F7BA mov eax, dword ptr fs:[00000030h]5_2_3604F7BA
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3604F7BA mov eax, dword ptr fs:[00000030h]5_2_3604F7BA
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3605C7C0 mov eax, dword ptr fs:[00000030h]5_2_3605C7C0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360557C0 mov eax, dword ptr fs:[00000030h]5_2_360557C0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360557C0 mov eax, dword ptr fs:[00000030h]5_2_360557C0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360557C0 mov eax, dword ptr fs:[00000030h]5_2_360557C0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360D07C3 mov eax, dword ptr fs:[00000030h]5_2_360D07C3
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3605D7E0 mov ecx, dword ptr fs:[00000030h]5_2_3605D7E0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360727ED mov eax, dword ptr fs:[00000030h]5_2_360727ED
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360727ED mov eax, dword ptr fs:[00000030h]5_2_360727ED
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360727ED mov eax, dword ptr fs:[00000030h]5_2_360727ED
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360DE7E1 mov eax, dword ptr fs:[00000030h]5_2_360DE7E1
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360547FB mov eax, dword ptr fs:[00000030h]5_2_360547FB
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360547FB mov eax, dword ptr fs:[00000030h]5_2_360547FB
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3607340D mov eax, dword ptr fs:[00000030h]5_2_3607340D
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36088402 mov eax, dword ptr fs:[00000030h]5_2_36088402
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36088402 mov eax, dword ptr fs:[00000030h]5_2_36088402
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36088402 mov eax, dword ptr fs:[00000030h]5_2_36088402
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360D7410 mov eax, dword ptr fs:[00000030h]5_2_360D7410
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3604C427 mov eax, dword ptr fs:[00000030h]5_2_3604C427
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3604E420 mov eax, dword ptr fs:[00000030h]5_2_3604E420
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3604E420 mov eax, dword ptr fs:[00000030h]5_2_3604E420
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3604E420 mov eax, dword ptr fs:[00000030h]5_2_3604E420
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360D6420 mov eax, dword ptr fs:[00000030h]5_2_360D6420
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360D6420 mov eax, dword ptr fs:[00000030h]5_2_360D6420
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360D6420 mov eax, dword ptr fs:[00000030h]5_2_360D6420
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360D6420 mov eax, dword ptr fs:[00000030h]5_2_360D6420
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360D6420 mov eax, dword ptr fs:[00000030h]5_2_360D6420
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360D6420 mov eax, dword ptr fs:[00000030h]5_2_360D6420
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360D6420 mov eax, dword ptr fs:[00000030h]5_2_360D6420
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3608A430 mov eax, dword ptr fs:[00000030h]5_2_3608A430
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3610F453 mov eax, dword ptr fs:[00000030h]5_2_3610F453
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3605B440 mov eax, dword ptr fs:[00000030h]5_2_3605B440
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3605B440 mov eax, dword ptr fs:[00000030h]5_2_3605B440
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3605B440 mov eax, dword ptr fs:[00000030h]5_2_3605B440
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3605B440 mov eax, dword ptr fs:[00000030h]5_2_3605B440
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3605B440 mov eax, dword ptr fs:[00000030h]5_2_3605B440
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3605B440 mov eax, dword ptr fs:[00000030h]5_2_3605B440
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3608E443 mov eax, dword ptr fs:[00000030h]5_2_3608E443
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3608E443 mov eax, dword ptr fs:[00000030h]5_2_3608E443
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3608E443 mov eax, dword ptr fs:[00000030h]5_2_3608E443
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3608E443 mov eax, dword ptr fs:[00000030h]5_2_3608E443
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3608E443 mov eax, dword ptr fs:[00000030h]5_2_3608E443
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3608E443 mov eax, dword ptr fs:[00000030h]5_2_3608E443
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3608E443 mov eax, dword ptr fs:[00000030h]5_2_3608E443
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3608E443 mov eax, dword ptr fs:[00000030h]5_2_3608E443
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3604645D mov eax, dword ptr fs:[00000030h]5_2_3604645D
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3607245A mov eax, dword ptr fs:[00000030h]5_2_3607245A
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36051460 mov eax, dword ptr fs:[00000030h]5_2_36051460
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36051460 mov eax, dword ptr fs:[00000030h]5_2_36051460
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36051460 mov eax, dword ptr fs:[00000030h]5_2_36051460
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36051460 mov eax, dword ptr fs:[00000030h]5_2_36051460
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36051460 mov eax, dword ptr fs:[00000030h]5_2_36051460
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3606F460 mov eax, dword ptr fs:[00000030h]5_2_3606F460
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3606F460 mov eax, dword ptr fs:[00000030h]5_2_3606F460
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3606F460 mov eax, dword ptr fs:[00000030h]5_2_3606F460
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3606F460 mov eax, dword ptr fs:[00000030h]5_2_3606F460
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3606F460 mov eax, dword ptr fs:[00000030h]5_2_3606F460
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3606F460 mov eax, dword ptr fs:[00000030h]5_2_3606F460
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3612547F mov eax, dword ptr fs:[00000030h]5_2_3612547F
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360DC460 mov ecx, dword ptr fs:[00000030h]5_2_360DC460
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3607A470 mov eax, dword ptr fs:[00000030h]5_2_3607A470
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3607A470 mov eax, dword ptr fs:[00000030h]5_2_3607A470
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3607A470 mov eax, dword ptr fs:[00000030h]5_2_3607A470
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36059486 mov eax, dword ptr fs:[00000030h]5_2_36059486
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36059486 mov eax, dword ptr fs:[00000030h]5_2_36059486
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3604B480 mov eax, dword ptr fs:[00000030h]5_2_3604B480
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360564AB mov eax, dword ptr fs:[00000030h]5_2_360564AB
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360834B0 mov eax, dword ptr fs:[00000030h]5_2_360834B0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360844B0 mov ecx, dword ptr fs:[00000030h]5_2_360844B0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360DA4B0 mov eax, dword ptr fs:[00000030h]5_2_360DA4B0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_361254DB mov eax, dword ptr fs:[00000030h]5_2_361254DB
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360504E5 mov ecx, dword ptr fs:[00000030h]5_2_360504E5
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360F94E0 mov eax, dword ptr fs:[00000030h]5_2_360F94E0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36087505 mov eax, dword ptr fs:[00000030h]5_2_36087505
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36087505 mov ecx, dword ptr fs:[00000030h]5_2_36087505
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36124500 mov eax, dword ptr fs:[00000030h]5_2_36124500
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36124500 mov eax, dword ptr fs:[00000030h]5_2_36124500
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36124500 mov eax, dword ptr fs:[00000030h]5_2_36124500
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36124500 mov eax, dword ptr fs:[00000030h]5_2_36124500
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36124500 mov eax, dword ptr fs:[00000030h]5_2_36124500
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36124500 mov eax, dword ptr fs:[00000030h]5_2_36124500
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36124500 mov eax, dword ptr fs:[00000030h]5_2_36124500
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36125537 mov eax, dword ptr fs:[00000030h]5_2_36125537
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360FF525 mov eax, dword ptr fs:[00000030h]5_2_360FF525
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360FF525 mov eax, dword ptr fs:[00000030h]5_2_360FF525
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360FF525 mov eax, dword ptr fs:[00000030h]5_2_360FF525
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360FF525 mov eax, dword ptr fs:[00000030h]5_2_360FF525
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360FF525 mov eax, dword ptr fs:[00000030h]5_2_360FF525
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360FF525 mov eax, dword ptr fs:[00000030h]5_2_360FF525
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360FF525 mov eax, dword ptr fs:[00000030h]5_2_360FF525
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3605D534 mov eax, dword ptr fs:[00000030h]5_2_3605D534
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3605D534 mov eax, dword ptr fs:[00000030h]5_2_3605D534
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3605D534 mov eax, dword ptr fs:[00000030h]5_2_3605D534
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3605D534 mov eax, dword ptr fs:[00000030h]5_2_3605D534
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3605D534 mov eax, dword ptr fs:[00000030h]5_2_3605D534
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3605D534 mov eax, dword ptr fs:[00000030h]5_2_3605D534
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36060535 mov eax, dword ptr fs:[00000030h]5_2_36060535
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36060535 mov eax, dword ptr fs:[00000030h]5_2_36060535
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36060535 mov eax, dword ptr fs:[00000030h]5_2_36060535
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36060535 mov eax, dword ptr fs:[00000030h]5_2_36060535
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36060535 mov eax, dword ptr fs:[00000030h]5_2_36060535
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36060535 mov eax, dword ptr fs:[00000030h]5_2_36060535
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3608D530 mov eax, dword ptr fs:[00000030h]5_2_3608D530
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3608D530 mov eax, dword ptr fs:[00000030h]5_2_3608D530
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3607E53E mov eax, dword ptr fs:[00000030h]5_2_3607E53E
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3607E53E mov eax, dword ptr fs:[00000030h]5_2_3607E53E
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3607E53E mov eax, dword ptr fs:[00000030h]5_2_3607E53E
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3607E53E mov eax, dword ptr fs:[00000030h]5_2_3607E53E
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3607E53E mov eax, dword ptr fs:[00000030h]5_2_3607E53E
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3610B52F mov eax, dword ptr fs:[00000030h]5_2_3610B52F
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36058550 mov eax, dword ptr fs:[00000030h]5_2_36058550
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36058550 mov eax, dword ptr fs:[00000030h]5_2_36058550
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3608656A mov eax, dword ptr fs:[00000030h]5_2_3608656A
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3608656A mov eax, dword ptr fs:[00000030h]5_2_3608656A
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3608656A mov eax, dword ptr fs:[00000030h]5_2_3608656A
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3604B562 mov eax, dword ptr fs:[00000030h]5_2_3604B562
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3608B570 mov eax, dword ptr fs:[00000030h]5_2_3608B570
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3608B570 mov eax, dword ptr fs:[00000030h]5_2_3608B570
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36084588 mov eax, dword ptr fs:[00000030h]5_2_36084588
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36052582 mov eax, dword ptr fs:[00000030h]5_2_36052582
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36052582 mov ecx, dword ptr fs:[00000030h]5_2_36052582
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3604758F mov eax, dword ptr fs:[00000030h]5_2_3604758F
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3604758F mov eax, dword ptr fs:[00000030h]5_2_3604758F
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3604758F mov eax, dword ptr fs:[00000030h]5_2_3604758F
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3608E59C mov eax, dword ptr fs:[00000030h]5_2_3608E59C
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360DB594 mov eax, dword ptr fs:[00000030h]5_2_360DB594
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360DB594 mov eax, dword ptr fs:[00000030h]5_2_360DB594
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360D05A7 mov eax, dword ptr fs:[00000030h]5_2_360D05A7
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360D05A7 mov eax, dword ptr fs:[00000030h]5_2_360D05A7
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360D05A7 mov eax, dword ptr fs:[00000030h]5_2_360D05A7
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3610F5BE mov eax, dword ptr fs:[00000030h]5_2_3610F5BE
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360715A9 mov eax, dword ptr fs:[00000030h]5_2_360715A9
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360715A9 mov eax, dword ptr fs:[00000030h]5_2_360715A9
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360715A9 mov eax, dword ptr fs:[00000030h]5_2_360715A9
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360715A9 mov eax, dword ptr fs:[00000030h]5_2_360715A9
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360715A9 mov eax, dword ptr fs:[00000030h]5_2_360715A9
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360E35BA mov eax, dword ptr fs:[00000030h]5_2_360E35BA
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360E35BA mov eax, dword ptr fs:[00000030h]5_2_360E35BA
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360E35BA mov eax, dword ptr fs:[00000030h]5_2_360E35BA
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360E35BA mov eax, dword ptr fs:[00000030h]5_2_360E35BA
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360745B1 mov eax, dword ptr fs:[00000030h]5_2_360745B1
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360745B1 mov eax, dword ptr fs:[00000030h]5_2_360745B1
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3607F5B0 mov eax, dword ptr fs:[00000030h]5_2_3607F5B0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3607F5B0 mov eax, dword ptr fs:[00000030h]5_2_3607F5B0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3607F5B0 mov eax, dword ptr fs:[00000030h]5_2_3607F5B0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3607F5B0 mov eax, dword ptr fs:[00000030h]5_2_3607F5B0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3607F5B0 mov eax, dword ptr fs:[00000030h]5_2_3607F5B0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3607F5B0 mov eax, dword ptr fs:[00000030h]5_2_3607F5B0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3607F5B0 mov eax, dword ptr fs:[00000030h]5_2_3607F5B0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3607F5B0 mov eax, dword ptr fs:[00000030h]5_2_3607F5B0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3607F5B0 mov eax, dword ptr fs:[00000030h]5_2_3607F5B0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_361235D7 mov eax, dword ptr fs:[00000030h]5_2_361235D7
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_361235D7 mov eax, dword ptr fs:[00000030h]5_2_361235D7
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_361235D7 mov eax, dword ptr fs:[00000030h]5_2_361235D7
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3608E5CF mov eax, dword ptr fs:[00000030h]5_2_3608E5CF
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3608E5CF mov eax, dword ptr fs:[00000030h]5_2_3608E5CF
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360855C0 mov eax, dword ptr fs:[00000030h]5_2_360855C0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360565D0 mov eax, dword ptr fs:[00000030h]5_2_360565D0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3608A5D0 mov eax, dword ptr fs:[00000030h]5_2_3608A5D0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3608A5D0 mov eax, dword ptr fs:[00000030h]5_2_3608A5D0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_361255C9 mov eax, dword ptr fs:[00000030h]5_2_361255C9
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360CD5D0 mov eax, dword ptr fs:[00000030h]5_2_360CD5D0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360CD5D0 mov ecx, dword ptr fs:[00000030h]5_2_360CD5D0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360795DA mov eax, dword ptr fs:[00000030h]5_2_360795DA
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3607E5E7 mov eax, dword ptr fs:[00000030h]5_2_3607E5E7
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3607E5E7 mov eax, dword ptr fs:[00000030h]5_2_3607E5E7
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3607E5E7 mov eax, dword ptr fs:[00000030h]5_2_3607E5E7
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3607E5E7 mov eax, dword ptr fs:[00000030h]5_2_3607E5E7
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3607E5E7 mov eax, dword ptr fs:[00000030h]5_2_3607E5E7
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3607E5E7 mov eax, dword ptr fs:[00000030h]5_2_3607E5E7
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3607E5E7 mov eax, dword ptr fs:[00000030h]5_2_3607E5E7
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3607E5E7 mov eax, dword ptr fs:[00000030h]5_2_3607E5E7
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3608C5ED mov eax, dword ptr fs:[00000030h]5_2_3608C5ED
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3608C5ED mov eax, dword ptr fs:[00000030h]5_2_3608C5ED
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360525E0 mov eax, dword ptr fs:[00000030h]5_2_360525E0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360715F4 mov eax, dword ptr fs:[00000030h]5_2_360715F4
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360715F4 mov eax, dword ptr fs:[00000030h]5_2_360715F4
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360715F4 mov eax, dword ptr fs:[00000030h]5_2_360715F4
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360715F4 mov eax, dword ptr fs:[00000030h]5_2_360715F4
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360715F4 mov eax, dword ptr fs:[00000030h]5_2_360715F4
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360715F4 mov eax, dword ptr fs:[00000030h]5_2_360715F4
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36087208 mov eax, dword ptr fs:[00000030h]5_2_36087208
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36087208 mov eax, dword ptr fs:[00000030h]5_2_36087208
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36125227 mov eax, dword ptr fs:[00000030h]5_2_36125227
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3604823B mov eax, dword ptr fs:[00000030h]5_2_3604823B
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36049240 mov eax, dword ptr fs:[00000030h]5_2_36049240
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36049240 mov eax, dword ptr fs:[00000030h]5_2_36049240
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3608724D mov eax, dword ptr fs:[00000030h]5_2_3608724D
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3610B256 mov eax, dword ptr fs:[00000030h]5_2_3610B256
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3610B256 mov eax, dword ptr fs:[00000030h]5_2_3610B256
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360D8243 mov eax, dword ptr fs:[00000030h]5_2_360D8243
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360D8243 mov ecx, dword ptr fs:[00000030h]5_2_360D8243
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3604A250 mov eax, dword ptr fs:[00000030h]5_2_3604A250
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36056259 mov eax, dword ptr fs:[00000030h]5_2_36056259
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360DD250 mov ecx, dword ptr fs:[00000030h]5_2_360DD250
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36100274 mov eax, dword ptr fs:[00000030h]5_2_36100274
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36100274 mov eax, dword ptr fs:[00000030h]5_2_36100274
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36100274 mov eax, dword ptr fs:[00000030h]5_2_36100274
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36100274 mov eax, dword ptr fs:[00000030h]5_2_36100274
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36100274 mov eax, dword ptr fs:[00000030h]5_2_36100274
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36100274 mov eax, dword ptr fs:[00000030h]5_2_36100274
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36100274 mov eax, dword ptr fs:[00000030h]5_2_36100274
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36100274 mov eax, dword ptr fs:[00000030h]5_2_36100274
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36100274 mov eax, dword ptr fs:[00000030h]5_2_36100274
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36100274 mov eax, dword ptr fs:[00000030h]5_2_36100274
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36100274 mov eax, dword ptr fs:[00000030h]5_2_36100274
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36100274 mov eax, dword ptr fs:[00000030h]5_2_36100274
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36054260 mov eax, dword ptr fs:[00000030h]5_2_36054260
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36054260 mov eax, dword ptr fs:[00000030h]5_2_36054260
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36054260 mov eax, dword ptr fs:[00000030h]5_2_36054260
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3604826B mov eax, dword ptr fs:[00000030h]5_2_3604826B
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36079274 mov eax, dword ptr fs:[00000030h]5_2_36079274
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36091270 mov eax, dword ptr fs:[00000030h]5_2_36091270
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36091270 mov eax, dword ptr fs:[00000030h]5_2_36091270
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3611D26B mov eax, dword ptr fs:[00000030h]5_2_3611D26B
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3611D26B mov eax, dword ptr fs:[00000030h]5_2_3611D26B
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3608E284 mov eax, dword ptr fs:[00000030h]5_2_3608E284
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3608E284 mov eax, dword ptr fs:[00000030h]5_2_3608E284
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360D0283 mov eax, dword ptr fs:[00000030h]5_2_360D0283
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360D0283 mov eax, dword ptr fs:[00000030h]5_2_360D0283
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360D0283 mov eax, dword ptr fs:[00000030h]5_2_360D0283
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36125283 mov eax, dword ptr fs:[00000030h]5_2_36125283
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3608329E mov eax, dword ptr fs:[00000030h]5_2_3608329E
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3608329E mov eax, dword ptr fs:[00000030h]5_2_3608329E
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360602A0 mov eax, dword ptr fs:[00000030h]5_2_360602A0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360602A0 mov eax, dword ptr fs:[00000030h]5_2_360602A0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360652A0 mov eax, dword ptr fs:[00000030h]5_2_360652A0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360652A0 mov eax, dword ptr fs:[00000030h]5_2_360652A0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360652A0 mov eax, dword ptr fs:[00000030h]5_2_360652A0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360652A0 mov eax, dword ptr fs:[00000030h]5_2_360652A0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360E62A0 mov eax, dword ptr fs:[00000030h]5_2_360E62A0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360E62A0 mov ecx, dword ptr fs:[00000030h]5_2_360E62A0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360E62A0 mov eax, dword ptr fs:[00000030h]5_2_360E62A0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360E62A0 mov eax, dword ptr fs:[00000030h]5_2_360E62A0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360E62A0 mov eax, dword ptr fs:[00000030h]5_2_360E62A0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360E62A0 mov eax, dword ptr fs:[00000030h]5_2_360E62A0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360E72A0 mov eax, dword ptr fs:[00000030h]5_2_360E72A0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360E72A0 mov eax, dword ptr fs:[00000030h]5_2_360E72A0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360D92BC mov eax, dword ptr fs:[00000030h]5_2_360D92BC
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360D92BC mov eax, dword ptr fs:[00000030h]5_2_360D92BC
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360D92BC mov ecx, dword ptr fs:[00000030h]5_2_360D92BC
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360D92BC mov ecx, dword ptr fs:[00000030h]5_2_360D92BC
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_361192A6 mov eax, dword ptr fs:[00000030h]5_2_361192A6
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_361192A6 mov eax, dword ptr fs:[00000030h]5_2_361192A6
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_361192A6 mov eax, dword ptr fs:[00000030h]5_2_361192A6
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_361192A6 mov eax, dword ptr fs:[00000030h]5_2_361192A6
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360592C5 mov eax, dword ptr fs:[00000030h]5_2_360592C5
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360592C5 mov eax, dword ptr fs:[00000030h]5_2_360592C5
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3605A2C3 mov eax, dword ptr fs:[00000030h]5_2_3605A2C3
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3605A2C3 mov eax, dword ptr fs:[00000030h]5_2_3605A2C3
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3605A2C3 mov eax, dword ptr fs:[00000030h]5_2_3605A2C3
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3605A2C3 mov eax, dword ptr fs:[00000030h]5_2_3605A2C3
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3605A2C3 mov eax, dword ptr fs:[00000030h]5_2_3605A2C3
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3607B2C0 mov eax, dword ptr fs:[00000030h]5_2_3607B2C0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3607B2C0 mov eax, dword ptr fs:[00000030h]5_2_3607B2C0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3607B2C0 mov eax, dword ptr fs:[00000030h]5_2_3607B2C0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3607B2C0 mov eax, dword ptr fs:[00000030h]5_2_3607B2C0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3607B2C0 mov eax, dword ptr fs:[00000030h]5_2_3607B2C0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3607B2C0 mov eax, dword ptr fs:[00000030h]5_2_3607B2C0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3607B2C0 mov eax, dword ptr fs:[00000030h]5_2_3607B2C0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3607F2D0 mov eax, dword ptr fs:[00000030h]5_2_3607F2D0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3607F2D0 mov eax, dword ptr fs:[00000030h]5_2_3607F2D0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3604B2D3 mov eax, dword ptr fs:[00000030h]5_2_3604B2D3
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3604B2D3 mov eax, dword ptr fs:[00000030h]5_2_3604B2D3
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3604B2D3 mov eax, dword ptr fs:[00000030h]5_2_3604B2D3
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360602E1 mov eax, dword ptr fs:[00000030h]5_2_360602E1
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360602E1 mov eax, dword ptr fs:[00000030h]5_2_360602E1
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360602E1 mov eax, dword ptr fs:[00000030h]5_2_360602E1
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3610F2F8 mov eax, dword ptr fs:[00000030h]5_2_3610F2F8
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_361252E2 mov eax, dword ptr fs:[00000030h]5_2_361252E2
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360492FF mov eax, dword ptr fs:[00000030h]5_2_360492FF
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_361012ED mov eax, dword ptr fs:[00000030h]5_2_361012ED
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_361012ED mov eax, dword ptr fs:[00000030h]5_2_361012ED
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_361012ED mov eax, dword ptr fs:[00000030h]5_2_361012ED
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_361012ED mov eax, dword ptr fs:[00000030h]5_2_361012ED
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_361012ED mov eax, dword ptr fs:[00000030h]5_2_361012ED
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_361012ED mov eax, dword ptr fs:[00000030h]5_2_361012ED
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_361012ED mov eax, dword ptr fs:[00000030h]5_2_361012ED
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_361012ED mov eax, dword ptr fs:[00000030h]5_2_361012ED
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_361012ED mov eax, dword ptr fs:[00000030h]5_2_361012ED
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_361012ED mov eax, dword ptr fs:[00000030h]5_2_361012ED
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_361012ED mov eax, dword ptr fs:[00000030h]5_2_361012ED
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_361012ED mov eax, dword ptr fs:[00000030h]5_2_361012ED
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_361012ED mov eax, dword ptr fs:[00000030h]5_2_361012ED
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_361012ED mov eax, dword ptr fs:[00000030h]5_2_361012ED
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3608A30B mov eax, dword ptr fs:[00000030h]5_2_3608A30B
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3608A30B mov eax, dword ptr fs:[00000030h]5_2_3608A30B
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3608A30B mov eax, dword ptr fs:[00000030h]5_2_3608A30B
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360D930B mov eax, dword ptr fs:[00000030h]5_2_360D930B
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360D930B mov eax, dword ptr fs:[00000030h]5_2_360D930B
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360D930B mov eax, dword ptr fs:[00000030h]5_2_360D930B
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3604C310 mov ecx, dword ptr fs:[00000030h]5_2_3604C310
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36070310 mov ecx, dword ptr fs:[00000030h]5_2_36070310
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3607F32A mov eax, dword ptr fs:[00000030h]5_2_3607F32A
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36047330 mov eax, dword ptr fs:[00000030h]5_2_36047330
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3611132D mov eax, dword ptr fs:[00000030h]5_2_3611132D
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3611132D mov eax, dword ptr fs:[00000030h]5_2_3611132D
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3611A352 mov eax, dword ptr fs:[00000030h]5_2_3611A352
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360D2349 mov eax, dword ptr fs:[00000030h]5_2_360D2349
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360D2349 mov eax, dword ptr fs:[00000030h]5_2_360D2349
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360D2349 mov eax, dword ptr fs:[00000030h]5_2_360D2349
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360D2349 mov eax, dword ptr fs:[00000030h]5_2_360D2349
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360D2349 mov eax, dword ptr fs:[00000030h]5_2_360D2349
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360D2349 mov eax, dword ptr fs:[00000030h]5_2_360D2349
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360D2349 mov eax, dword ptr fs:[00000030h]5_2_360D2349
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360D2349 mov eax, dword ptr fs:[00000030h]5_2_360D2349
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360D2349 mov eax, dword ptr fs:[00000030h]5_2_360D2349
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360D2349 mov eax, dword ptr fs:[00000030h]5_2_360D2349
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360D2349 mov eax, dword ptr fs:[00000030h]5_2_360D2349
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360D2349 mov eax, dword ptr fs:[00000030h]5_2_360D2349
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360D2349 mov eax, dword ptr fs:[00000030h]5_2_360D2349
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360D2349 mov eax, dword ptr fs:[00000030h]5_2_360D2349
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360D2349 mov eax, dword ptr fs:[00000030h]5_2_360D2349
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3604D34C mov eax, dword ptr fs:[00000030h]5_2_3604D34C
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3604D34C mov eax, dword ptr fs:[00000030h]5_2_3604D34C
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360D035C mov eax, dword ptr fs:[00000030h]5_2_360D035C
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360D035C mov eax, dword ptr fs:[00000030h]5_2_360D035C
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360D035C mov eax, dword ptr fs:[00000030h]5_2_360D035C
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360D035C mov ecx, dword ptr fs:[00000030h]5_2_360D035C
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360D035C mov eax, dword ptr fs:[00000030h]5_2_360D035C
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360D035C mov eax, dword ptr fs:[00000030h]5_2_360D035C
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36125341 mov eax, dword ptr fs:[00000030h]5_2_36125341
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36049353 mov eax, dword ptr fs:[00000030h]5_2_36049353
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36049353 mov eax, dword ptr fs:[00000030h]5_2_36049353
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360F437C mov eax, dword ptr fs:[00000030h]5_2_360F437C
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36057370 mov eax, dword ptr fs:[00000030h]5_2_36057370
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36057370 mov eax, dword ptr fs:[00000030h]5_2_36057370
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36057370 mov eax, dword ptr fs:[00000030h]5_2_36057370
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3610F367 mov eax, dword ptr fs:[00000030h]5_2_3610F367
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3607438F mov eax, dword ptr fs:[00000030h]5_2_3607438F
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3607438F mov eax, dword ptr fs:[00000030h]5_2_3607438F
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3604E388 mov eax, dword ptr fs:[00000030h]5_2_3604E388
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3604E388 mov eax, dword ptr fs:[00000030h]5_2_3604E388
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3604E388 mov eax, dword ptr fs:[00000030h]5_2_3604E388
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3612539D mov eax, dword ptr fs:[00000030h]5_2_3612539D
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360A739A mov eax, dword ptr fs:[00000030h]5_2_360A739A
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360A739A mov eax, dword ptr fs:[00000030h]5_2_360A739A
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36048397 mov eax, dword ptr fs:[00000030h]5_2_36048397
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36048397 mov eax, dword ptr fs:[00000030h]5_2_36048397
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_36048397 mov eax, dword ptr fs:[00000030h]5_2_36048397
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360733A5 mov eax, dword ptr fs:[00000030h]5_2_360733A5
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360833A0 mov eax, dword ptr fs:[00000030h]5_2_360833A0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_360833A0 mov eax, dword ptr fs:[00000030h]5_2_360833A0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3610B3D0 mov ecx, dword ptr fs:[00000030h]5_2_3610B3D0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3605A3C0 mov eax, dword ptr fs:[00000030h]5_2_3605A3C0
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 5_2_3605A3C0 mov eax, dword ptr fs:[00000030h]5_2_3605A3C0
      Source: C:\Users\user\Desktop\Ppto.24265.exeProcess created: C:\Users\user\Desktop\Ppto.24265.exe "C:\Users\user\Desktop\Ppto.24265.exe"Jump to behavior
      Source: C:\Users\user\Desktop\Ppto.24265.exeCode function: 0_2_00405D58 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,0_2_00405D58

      Stealing of Sensitive Information

      barindex
      Yara detected FormBook
      Source: Yara matchFile source: 00000005.00000002.3193311561.0000000035CC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

      Remote Access Functionality

      barindex
      Yara detected FormBook
      Source: Yara matchFile source: 00000005.00000002.3193311561.0000000035CC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
      Native API      		1
      DLL Side-Loading      		11
      Process Injection      		1
      Masquerading      		OS Credential Dumping211
      Security Software Discovery      		Remote Services1
      Archive Collected Data      		11
      Encrypted Channel      		Exfiltration Over Other Network Medium1
      System Shutdown/Reboot
      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
      DLL Side-Loading      		11
      Process Injection      		LSASS Memory3
      File and Directory Discovery      		Remote Desktop Protocol1
      Clipboard Data      		1
      Ingress Tool Transfer      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
      Deobfuscate/Decode Files or Information      		Security Account Manager23
      System Information Discovery      		SMB/Windows Admin SharesData from Network Shared Drive2
      Non-Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
      Obfuscated Files or Information      		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture13
      Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      DLL Side-Loading      		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      Ppto.24265.exe8%ReversingLabs

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Temp\nsv5087.tmp\System.dll0%ReversingLabs

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://nsis.sf.net/NSIS_Error0%URL Reputationsafe
      https://apis.google.com0%URL Reputationsafe
      http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      drive.google.com
      		142.250.185.238
      		truefalse
        		unknown
        drive.usercontent.google.com
        		172.217.16.193
        		truefalse
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtdPpto.24265.exe, 00000005.00000001.2403920361.00000000005F2000.00000020.00000001.01000000.00000007.sdmpfalse
            		unknown
            https://www.google.comPpto.24265.exe, 00000005.00000003.2564095645.0000000005F96000.00000004.00000020.00020000.00000000.sdmpfalse
              		unknown
              http://www.ftp.ftp://ftp.gopher.Ppto.24265.exe, 00000005.00000001.2403920361.0000000000649000.00000020.00000001.01000000.00000007.sdmpfalse
                		unknown
                https://drive.usercontent.google.com/Ppto.24265.exe, 00000005.00000002.3172420411.0000000005F91000.00000004.00000020.00020000.00000000.sdmp, Ppto.24265.exe, 00000005.00000003.2834508031.0000000005F8A000.00000004.00000020.00020000.00000000.sdmp, Ppto.24265.exe, 00000005.00000003.2601379180.0000000005F91000.00000004.00000020.00020000.00000000.sdmpfalse
                  		unknown
                  http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtdPpto.24265.exe, 00000005.00000001.2403920361.00000000005F2000.00000020.00000001.01000000.00000007.sdmpfalse
                    		unknown
                    http://nsis.sf.net/NSIS_ErrorPpto.24265.exefalse
                    • URL Reputation: safe
                    		unknown
                    https://apis.google.comPpto.24265.exe, 00000005.00000003.2564095645.0000000005F96000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://nsis.sf.net/NSIS_ErrorErrorPpto.24265.exefalse
                    • URL Reputation: safe
                    		unknown
                    https://drive.google.com/Ppto.24265.exe, 00000005.00000002.3172317600.0000000005F28000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      https://drive.usercontent.google.com/tPpto.24265.exe, 00000005.00000002.3172420411.0000000005F91000.00000004.00000020.00020000.00000000.sdmp, Ppto.24265.exe, 00000005.00000003.2834508031.0000000005F8A000.00000004.00000020.00020000.00000000.sdmp, Ppto.24265.exe, 00000005.00000003.2601379180.0000000005F91000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214Ppto.24265.exe, 00000005.00000001.2403920361.0000000000649000.00000020.00000001.01000000.00000007.sdmpfalse
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          172.217.16.193
                          		drive.usercontent.google.comUnited States
                          		15169GOOGLEUSfalse
                          142.250.185.238
                          		drive.google.comUnited States
                          		15169GOOGLEUSfalse

                          General Information

                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1545384
                          Start date and time:2024-10-30 14:18:57 +01:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 8m 29s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Run name:Run with higher sleep bypass
                          Number of analysed new started processes analysed:8
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:Ppto.24265.exe
                          Detection:MAL
                          Classification:mal68.troj.evad.winEXE@3/12@2/2
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 89%
                          • Number of executed functions: 48
                          • Number of non-executed functions: 299
                          Cookbook Comments:
                          • Found application associated with file extension: .exe
                          • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                          • VT rate limit hit for: Ppto.24265.exe

                          Simulations

                          Behavior and APIs

                          No simulations

                          Joe Sandbox View / Context

                          IPs

                          No context

                          Domains

                          No context

                          ASNs

                          No context

                          JA3 Fingerprints

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          37f463bf4616ecd445d4a1937da06e19Factura Honorarios 2024-10.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                          • 142.250.185.238
                          • 172.217.16.193
                          Stadigheder43.exeGet hashmaliciousFormBook, GuLoaderBrowse
                          • 142.250.185.238
                          • 172.217.16.193
                          Forreste.exeGet hashmaliciousFormBook, GuLoaderBrowse
                          • 142.250.185.238
                          • 172.217.16.193
                          Fernissagerne.exeGet hashmaliciousSnake KeyloggerBrowse
                          • 142.250.185.238
                          • 172.217.16.193
                          JUSTIFICANTE PAGO FRAS OCTUBRE 2024.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                          • 142.250.185.238
                          • 172.217.16.193
                          tdnPqG0jmS.exeGet hashmaliciousStealc, VidarBrowse
                          • 142.250.185.238
                          • 172.217.16.193
                          Micra.exeGet hashmaliciousGuLoaderBrowse
                          • 142.250.185.238
                          • 172.217.16.193
                          Micra.exeGet hashmaliciousFormBook, GuLoaderBrowse
                          • 142.250.185.238
                          • 172.217.16.193
                          Viridine84.exeGet hashmaliciousFormBook, GuLoaderBrowse
                          • 142.250.185.238
                          • 172.217.16.193

                          Dropped Files

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          C:\Users\user\AppData\Local\Temp\nsv5087.tmp\System.dllRicowell Ind New INQ.bat.exeGet hashmaliciousFormBook, GuLoaderBrowse
                            Ricowell Ind New INQ.bat.exeGet hashmaliciousGuLoaderBrowse
                              Setup_x86.exeGet hashmaliciousUnknownBrowse
                                ORDER.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                  ORDER.exeGet hashmaliciousUnknownBrowse
                                    ulACwpUCSU.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                      fJuwM4Bwi7.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                        ulACwpUCSU.exeGet hashmaliciousGuLoaderBrowse
                                          fJuwM4Bwi7.exeGet hashmaliciousGuLoaderBrowse

                                            Created / dropped Files

                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\unportentously.ini

                                            Download File
                                            Process:C:\Users\user\Desktop\Ppto.24265.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):41
                                            Entropy (8bit):4.387443772646929
                                            Encrypted:false
                                            SSDEEP:3:cZT6LAPGqbIy:402GaIy
                                            MD5:58E97653296C05A6CD3E36CF15954E45
                                            SHA1:8068025450B6D982046C2FEB037F78CEDCAB3694
                                            SHA-256:86A1407548FF33DFA40BF74D9E37D5A427A033B4895517595BC3C4E197C6A7CC
                                            SHA-512:A4C2741E8A6FCF0A39AF7597EC30C8A8A8D96B6727B84FA392703974A004C98CA69E13C05471BE6DB86E93F109EC563B227E320FF559812DD3285F7DE787FCFC
                                            Malicious:false
                                            Reputation:low
                                            Preview:[Miskredittens]..Unevangelical=myoplasm..

                                            C:\Users\user\AppData\Local\Temp\nsaC28F.tmp

                                            Download File
                                            Process:C:\Users\user\Desktop\Ppto.24265.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):2576979
                                            Entropy (8bit):2.7299402279924734
                                            Encrypted:false
                                            SSDEEP:12288:uDmDAkKiXjJIeGuUCldNuMw2/Uabg2SI+Fs4SFUKKirqu5yG:Vv3uNMlbzjjbx9+Fs4S3rp5yG
                                            MD5:3321CFB1D16E89900116F9B3C23123E8
                                            SHA1:73FE12096F315597A4E1292CD6AB806BE3CF3A5A
                                            SHA-256:B4806C1F5B79749FF5A08AF1F9CC98C85862FF0C8105EACC6DDB6032463C7EB1
                                            SHA-512:62AE8A21ACA10E9FFAC8F25D90423F3993FC67EEC717591DC894CB71268F008BC5EEDA070BA894C5CDB04E13453D1B683A49CE8CC4C55899B42147214BC6A1B6
                                            Malicious:false
                                            Reputation:low
                                            Preview:r&......,.......,.......D.......(.......\%......Z&......................................................................................0...................................................................................................................................................J...a...........$...h...............................................................g...............................................................j..............................................................................................................................._.......................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Users\user\AppData\Local\Temp\nsv5087.tmp\System.dll

                                            Download File
                                            Process:C:\Users\user\Desktop\Ppto.24265.exe
                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):11264
                                            Entropy (8bit):5.779474184733856
                                            Encrypted:false
                                            SSDEEP:96:zPDYcJ+nx4vVp76JX7zBlkCg21Fxz4THxtrqw1at0JgwLEjo+OB3yUVCdl/wNj+y:zPtkuWJX7zB3kGwfy0nyUVsxCjOM61u
                                            MD5:6F5257C0B8C0EF4D440F4F4FCE85FB1B
                                            SHA1:B6AC111DFB0D1FC75AD09C56BDE7830232395785
                                            SHA-256:B7CCB923387CC346731471B20FC3DF1EAD13EC8C2E3147353C71BB0BD59BC8B1
                                            SHA-512:A3CC27F1EFB52FB8ECDA54A7C36ADA39CEFEABB7B16F2112303EA463B0E1A4D745198D413EEBB3551E012C84A20DCDF4359E511E51BC3F1A60B13F1E3BAD1AA8
                                            Malicious:false
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 0%
                                            Joe Sandbox View:
                                            • Filename: Ricowell Ind New INQ.bat.exe, Detection: malicious, Browse
                                            • Filename: Ricowell Ind New INQ.bat.exe, Detection: malicious, Browse
                                            • Filename: Setup_x86.exe, Detection: malicious, Browse
                                            • Filename: ORDER.exe, Detection: malicious, Browse
                                            • Filename: ORDER.exe, Detection: malicious, Browse
                                            • Filename: ulACwpUCSU.exe, Detection: malicious, Browse
                                            • Filename: fJuwM4Bwi7.exe, Detection: malicious, Browse
                                            • Filename: ulACwpUCSU.exe, Detection: malicious, Browse
                                            • Filename: fJuwM4Bwi7.exe, Detection: malicious, Browse
                                            Reputation:moderate, very likely benign file
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)...m.m.m...k.m.~....j.9..i....l....l.Richm.........................PE..L....\.U...........!.................'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text..._........................... ..`.rdata..S....0......."..............@..@.data...h....@.......&..............@....reloc..b....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Users\user\colombians\fanwort\cherie\Audiometrien201.mpg

                                            Download File
                                            Process:C:\Users\user\Desktop\Ppto.24265.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):401536
                                            Entropy (8bit):1.2538327017259105
                                            Encrypted:false
                                            SSDEEP:768:hrhUQCsdgYcI1orIsrIL1XZu4JR42CTvY29tHczEZGDLIh3bZNN4wkhFILKONCgI:1hxNZX2b0Q/h3orH+CdbEY4biAtCX
                                            MD5:E69DD5B1AA9767BDE886F9223DA4F724
                                            SHA1:F1004655A61E9427D82392001C2CB8FEA80526AE
                                            SHA-256:280F30DE3FC47ED27D3060C666ACE16BF7D097665D2CBAF5C99447C503DD1BD7
                                            SHA-512:28949933D0673CA0F1CF0D7FC16DA701C3031A3CE2A9A4881E490EDDCECFD143033A918019AC18DA98035CD04E533F6189F30CF1028967B83400DC97AA8C7046
                                            Malicious:false
                                            Reputation:low
                                            Preview:...........]........................................]........................X..(...............I.......................................................e..................f.............%....................z...............D..............................................D.....................C.6...............................p...............................................................................................1.........................\...n..............................................................%..........................................................................................................................................................@.....................................................................................g\.....T..........m..........................?.....................................................................................b........".........S..{.......]........................................................2........................

                                            C:\Users\user\colombians\fanwort\cherie\Avertissementers.Med

                                            Download File
                                            Process:C:\Users\user\Desktop\Ppto.24265.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):433537
                                            Entropy (8bit):7.525772777624956
                                            Encrypted:false
                                            SSDEEP:12288:3mDAkKiXjJIeGuUCldNuMw2/Uabg2SI+FsY:Wv3uNMlbzjjbx9+FsY
                                            MD5:14A54EF225B787662111612F409E48F9
                                            SHA1:8B9567999D2D1AACD76D03A978104F6059A6C087
                                            SHA-256:54E0589954746EFF2CF4503AB47608BAB9CF8C68B8EC4D858F4A6C5756138EA3
                                            SHA-512:FBC6264F2E1869509D0F65A21D5E96908B4D18361DB41E98BA5040FB935EA4AFA8B87F35D187F98235E9A64C12F0E6D059E38E7F75F66A8C03C3DD4BB31A030A
                                            Malicious:false
                                            Preview:................kk........A.......66...kkkkk.............................N..........--...{{.::::.zz...%%..................JJJ....(((((................hh.BBBB.................SS..I...........nn...^.....................`....<..a.%..............z...PP....X.x...`.G......L......3....,......1..............L..........................h._......,,........LL..............pp...dd.......H......####.hh.......l..........e..+.........!.......|............................V................................#......................F........W.==........................R.....x......000..................<..P.....................>..........^.----.....................................uu........k......O..................o..............u...H...,................e...7..'...?.............LL...........l..........tt................PP..X......~................@@............m...........GG........]]].EE.44.....}.j...i........7....aa.%...oooo..........t......?............X..pp.................33.$....................g......

                                            C:\Users\user\colombians\fanwort\cherie\Forstokkede.abi

                                            Download File
                                            Process:C:\Users\user\Desktop\Ppto.24265.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):25761
                                            Entropy (8bit):4.578267900252434
                                            Encrypted:false
                                            SSDEEP:384:Po9socqO8s88s8CmrS8y+YaLlfUOcytHZ26wnS/zInTaY3k:POA8shs8YzNif1Zz1Y3k
                                            MD5:6F1028BFD772024F2AB07AB466CA595A
                                            SHA1:66F92D7D4875BE8D807F2F8EF16374417A788CBB
                                            SHA-256:19322B775C02FC96903CB97E6D916EE71D48280BDFAC0FA788DE538064B3855A
                                            SHA-512:1A4E5894F30BB73079351296B4E1488D1E5434DC3446ADC06A8A921377262294F508B349EEB22B785E9394A3F1060C96C34C9E460C640C6F176CA3BDFF3F2FDC
                                            Malicious:false
                                            Preview:..2..k....V.dd..^^......$...........e.......=................XX....r..I.....$$.O..........JJJ.....n..................~..........Ie............9....z............l.bbbb..G......................3..............................2.........$$.ppp......3333.....:........................%%%%..:............................v.C.............................5r.......vvvv................SSSe..........................^^..a.......66...^.................t.......1......................e...R.;.......U................F................}}..V.g.......i............................a.l............0.....2..000.M....e..........x.......JJ........BBA......................TT......(.....T........................m....RR..5......@...pp.....jj.. ...........2...q..............r.M..]..........###.5..........4.....}}....................??. ..U....<.......=.EE.vv........,.............................. ........(....,,,..RRRR........i................."..SSSS...... ...H......`.V........``...GGGG0.............._.....ZZ........x..

                                            C:\Users\user\colombians\fanwort\cherie\Hingstefl\Eneceller\chytridiosis.dis

                                            Download File
                                            Process:C:\Users\user\Desktop\Ppto.24265.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):321944
                                            Entropy (8bit):1.2601285537179499
                                            Encrypted:false
                                            SSDEEP:768:44fFKEDY244rWfVFgvqT9VB70o8vmpkAAe7seYBe5zEBI5tGi513u/+YEyv5yOUy:v9ehB0smTesEFUsHJbum
                                            MD5:30FE848CB9EA67E7450A98D83D845B19
                                            SHA1:AF07B13A6AD8B6FB7592FDDD9D584A6DF221BCBB
                                            SHA-256:961D5DC64F8E96BE4EEBA7EBB874C36C0125B1E854448B66174A51495BBD2F35
                                            SHA-512:ED8CAC78ABF339ECCDAF0CE85F5ED925B46CFC8475BD47BF3AA5B26D265A2A3BB9678608CD1EA95D98C59EE9FA15D5065EF4A364988ED40B4D75DEEE445BE0A9
                                            Malicious:false
                                            Preview:......................................_...}...L..........................................................................................H.......................................................................................3...b....................e............................_.................................Z........q..............................................................................].e........................................................,......................0...............g.P..............<........................................../....................................>................y............{.......................................U.......o.................................4.....U............\...............................l..<..........nr...................D...........m.k........R...................*.D...............................................O.............................................~..........................4..c..................._........e.......

                                            C:\Users\user\colombians\fanwort\cherie\Hingstefl\Smedesvend108.unn

                                            Download File
                                            Process:C:\Users\user\Desktop\Ppto.24265.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):350087
                                            Entropy (8bit):1.2601483252231778
                                            Encrypted:false
                                            SSDEEP:1536:3NxUj52XwmFAWE/J8amMJp9ZuRevZQ2AdZ:9eDm67mMJHcD
                                            MD5:560EED343A21944C8B914214B9FAF30E
                                            SHA1:A3C8849B406309FA3D312368187523088E15E922
                                            SHA-256:8429F7A99E29F9942ADB0BBE624E2E8A1262639B5A08AE9F16E7EC39641FD53D
                                            SHA-512:D791542C5B54798F7D2FB16C8C5FADDC36A69A3CC8F78DB7BB4B672963C7FE42D27297C002F22787571F0860581A0D871248CCC14901A44F979426F22C9EF23C
                                            Malicious:false
                                            Preview:.........................................................}.....8....j......u..................................................................................... ....T...................................................%......................................... ............d...............................&...............................+....................2.....................................c........................................................................y.......................................................N.............$w..........@...............:.nu........-.....................................A..............D........(....|.............T.................................................................F......................................................C........^..0........................G...................................................I.....................................G................#.f.............)......... ............;..........[........................

                                            C:\Users\user\colombians\fanwort\cherie\Hingstefl\ampullers.inf

                                            Download File
                                            Process:C:\Users\user\Desktop\Ppto.24265.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):495219
                                            Entropy (8bit):1.2547765727327922
                                            Encrypted:false
                                            SSDEEP:1536:G3rXcdRf5UF4AAdRo1P7Q10Ow0qp+a4DwNH0ppMcAGghuI:GbXcdB5UKrRC7hku+wipMcAGc
                                            MD5:E435336D4703D5DFD7AD2488DF93A0E2
                                            SHA1:8B3C93A626E13930B600C205BCFC7F48F2BD73C3
                                            SHA-256:C75975C000D423BBF4EDF915D2E91F031D89E38DBB28AC790DE05DA2F590568A
                                            SHA-512:169992BAB78302C3D38FE4031DB9B000ABA51D9E141EBECB2400F34ED28B8FE6F8F755F1B54028D250C36E4C50A637A08C74697743FB10B23ED01AA44EA26DB2
                                            Malicious:false
                                            Preview:..............................................................................................N....................f.........................p................T.....................................{....+......<.......o.......Ak...A.........'..............?..............................................................................3..............................................................g..........................................................................................I...............................T.....f.....j..........................................K.=..............................D..........................................-.............d............M.........................I*.....d......................................................................................&...................................t................]........................^.................*....D..................n.......c...................C.......................................N.............

                                            C:\Users\user\colombians\fanwort\cherie\Hingstefl\bonbonnieres.und

                                            Download File
                                            Process:C:\Users\user\Desktop\Ppto.24265.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):263524
                                            Entropy (8bit):1.2622386604826017
                                            Encrypted:false
                                            SSDEEP:768:TpYr9zAP2g4x5JuuV0GXsCnjfO/NhA7OorrRajaWDX2vNBeO12LfnsFvNnx6sMRZ:qBf3xNCUhSaKWzqqxcRkmv7/X
                                            MD5:835F7733AAB5DB05C1DEC322DF4B57F4
                                            SHA1:9730B24C0A61CF2A0E5586390F7AD2441D33E828
                                            SHA-256:6E0FED879E46AA1AA00429BA09B24110ACD009C27BF27593D7890E2A7820F334
                                            SHA-512:8AC530DAC98CD008159BF243B79948039FDF51F579EB4CD342E79F0625E4548611628369FFCFD71A9252F29D02F8EED3003597CCDC9994F4DA988EEBBF4F247A
                                            Malicious:false
                                            Preview:....w..................N.............................F.................s.........................................[>......u.........q..................................l...................}..........................................................................................C.....................j................................................)......................................7........|...........9..........................=........................................................................................T............................................................*..........B.............c....>............................................"........W.....6.....................H......................<...........n...........................................q..................V.........................................r..................v....................k........................J............................................J...................................................

                                            C:\Users\user\colombians\fanwort\cherie\Hingstefl\boykotters.tje

                                            Download File
                                            Process:C:\Users\user\Desktop\Ppto.24265.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):263699
                                            Entropy (8bit):1.2538398040302556
                                            Encrypted:false
                                            SSDEEP:768:CNyP1Od4xcUHq3YBDjYJAqHe2l7qM/gqSZDydD8WgoVRleIeIqcSCtA7nCzTbtdO:PLEbOzYlaY7WvakYrKuG
                                            MD5:A723F4EE3C2A4740483403406CBEBEB2
                                            SHA1:357E611755580C29EB650E8465C3C0A4B0DB623C
                                            SHA-256:154D9B6466A6C67C00F1A3E8C49A2B7523185E99F6B87FE4421BA29DAD7B3DE9
                                            SHA-512:01EED0900789293F9464FE87C7E48C5C28EB216D0A4F8EC7146035F9AE77AF5468D042306097FA11D08EDD155D02A8DA8D0B128FC6841485458F970644782639
                                            Malicious:false
                                            Preview:..............................................................!.........................S...............................................................a........................................L......w........................i.....................M.................................................................................................................................e........:...........................~...v..............z....5.........................................................................................D.............Z..T....6...................1.a..................................U.............................*.............................5.......................................................................................................................................................................................................................b........6b............................................................8...U...).s..................................

                                            C:\Users\user\colombians\fanwort\cherie\Sabbed57.txt

                                            Download File
                                            Process:C:\Users\user\Desktop\Ppto.24265.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):522
                                            Entropy (8bit):4.343544961056216
                                            Encrypted:false
                                            SSDEEP:12:KZrwWLHcHsCL6tyTgj3OgdOqlracD7MDqy+3RfSXMtRfwIbmcdbg:KZTcMZ1Ll5nMGyCR6XywIbxbg
                                            MD5:427A0634BAD318C0C107C249A6BC2349
                                            SHA1:20150FDA12DE5B8AF24A8286C22A3F3C2E8AA08E
                                            SHA-256:9AB119A635E7066A0614A258CF204A29D64779AF2DC2FF41C39F275C7613AD83
                                            SHA-512:5FEBB1B54CE26CBCABD1F031DB500BB0AD32157C8D2789F92E0C1D2340BFBA5596513FBAA455426F8022E646CE17D74FAF05EBF782051F06A80B202F453EF8C8
                                            Malicious:false
                                            Preview:unicolour italic strukturalismes surmulers skattefriheds.glycyl knoernes concussions inequicostate.tror dramshop executionist damascerer dameworts peartly appendices toturenes mekanistiske denunciative vejet menopause..generet tetroxid chumpish dybtvirkende illianna sansculotte..floorway skuffers produktudviklingers unresuscitated kankedort uncompliance latinization foryngelsen depotbevis redekamme palmetto orthosymmetrical dativiske..slgtsgaardenes forureningsflsommmes upstaunch wabash mastology fumeuse forsiringen,

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                            Entropy (8bit):7.9833019811344395
                                            TrID:
                                            • Win32 Executable (generic) a (10002005/4) 92.16%
                                            • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                            • DOS Executable Generic (2002/1) 0.02%
                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                            File name:Ppto.24265.exe
                                            File size:784'080 bytes
                                            MD5:e1950e5f53b57caa57a7d2fa03f82b3d
                                            SHA1:fe3515a0b99aea3b2bdeed2493662ea7ed3e4ca2
                                            SHA256:3b9e1f0340918787ead7bbf5e5ac6415c392963f046f948fe39e522df43e1ab3
                                            SHA512:ef7ef2b39371af9612e781788d8df5ec3c776059a7cd27e4af0bbab38bfd8ed3cb3760294408f6d75ad171dc4d2ab57747d648ead5555a6d605e3c05a0228c87
                                            SSDEEP:12288:ANNkXjHW/JcL23RjqQP7tLBQxhHdo0CSNTT9M3kNgIV9AtatbCCH9JyQMKSvvQ9T:ATkTH4+L231qMFOxhDvNq0Ng8G60QVMw
                                            TLSH:49F423514597C557DFA6CDBA3190C9027136EA811C2203A6DF10DFEF18322A7AD2E2BF
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..iu..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L....\.U.................^...........2.......p....@

                                            File Icon

                                            Icon Hash:3d2e0f95332b3399

                                            Static PE Info

                                            General

                                            Entrypoint:0x403217
                                            Entrypoint Section:.text
                                            Digitally signed:true
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                            Time Stamp:0x55C15CE3 [Wed Aug 5 00:46:27 2015 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:
                                            OS Version Major:4
                                            OS Version Minor:0
                                            File Version Major:4
                                            File Version Minor:0
                                            Subsystem Version Major:4
                                            Subsystem Version Minor:0
                                            Import Hash:59a4a44a250c4cf4f2d9de2b3fe5d95f

                                            Authenticode Signature

                                            Signature Valid:false
                                            Signature Issuer:CN=Might, O=Might, L=Fauldhouse, C=GB
                                            Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                            Error Number:-2146762487
                                            Not Before, Not After
                                            • 13/02/2024 10:52:01 12/02/2027 10:52:01
                                            Subject Chain
                                            • CN=Might, O=Might, L=Fauldhouse, C=GB
                                            Version:3
                                            Thumbprint MD5:DB138EDC6CA94F437BCE7E9164AB985F
                                            Thumbprint SHA-1:647BB5FDDBCF81F8691FF6CB5AA9928E397C266D
                                            Thumbprint SHA-256:89BF069F26B4E5A1802DBC987649AB3BC3B93F06ECDFD864270CB05DA0F388BD
                                            Serial:3E12164659FE69A672EFD73AE5F90D5DEB591098

                                            Entrypoint Preview

                                            Instruction
                                            sub esp, 00000184h
                                            push ebx
                                            push ebp
                                            push esi
                                            xor ebx, ebx
                                            push edi
                                            mov dword ptr [esp+18h], ebx
                                            mov dword ptr [esp+10h], 00409130h
                                            mov dword ptr [esp+20h], ebx
                                            mov byte ptr [esp+14h], 00000020h
                                            call dword ptr [00407034h]
                                            push 00008001h
                                            call dword ptr [004070B4h]
                                            push ebx
                                            call dword ptr [0040728Ch]
                                            push 00000009h
                                            mov dword ptr [004237B8h], eax
                                            call 00007F56C0844E2Ah
                                            mov dword ptr [00423704h], eax
                                            push ebx
                                            lea eax, dword ptr [esp+38h]
                                            push 00000160h
                                            push eax
                                            push ebx
                                            push 0041ECB8h
                                            call dword ptr [00407164h]
                                            push 004091E4h
                                            push 00422F00h
                                            call 00007F56C0844AD4h
                                            call dword ptr [004070B0h]
                                            mov ebp, 00429000h
                                            push eax
                                            push ebp
                                            call 00007F56C0844AC2h
                                            push ebx
                                            call dword ptr [00407118h]
                                            cmp byte ptr [00429000h], 00000022h
                                            mov dword ptr [00423700h], eax
                                            mov eax, ebp
                                            jne 00007F56C084202Ch
                                            mov byte ptr [esp+14h], 00000022h
                                            mov eax, 00429001h
                                            push dword ptr [esp+14h]
                                            push eax
                                            call 00007F56C0844552h
                                            push eax
                                            call dword ptr [00407220h]
                                            mov dword ptr [esp+1Ch], eax
                                            jmp 00007F56C08420E5h
                                            cmp cl, 00000020h
                                            jne 00007F56C0842028h
                                            inc eax
                                            cmp byte ptr [eax], 00000020h
                                            je 00007F56C084201Ch

                                            Rich Headers

                                            Programming Language:
                                            • [EXP] VC++ 6.0 SP5 build 8804

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x73a40xb4.rdata
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x390000x1438.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0xbd6680x2068
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x70000x298.rdata
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x10000x5c3a0x5e00e5e7adda692e6e028f515fe3daa2b69fFalse0.658951130319149data6.410406825129756IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                            .rdata0x70000x11ce0x12005801d712ecba58aa87d1e7d1aa24f3aaFalse0.4522569444444444OpenPGP Secret Key5.236122428806677IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .data0x90000x1a7f80x400cc58d0a55ac015d8f1470ea90f440596False0.615234375data5.02661163746607IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                            .ndata0x240000x150000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                            .rsrc0x390000x14380x1600a61a539f7c33f7a1963d3a18259a72b9False0.35102982954545453data4.159196321655099IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                            RT_BITMAP0x392b00x368Device independent bitmap graphic, 96 x 16 x 4, image size 768EnglishUnited States0.23623853211009174
                                            RT_ICON0x396180x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States0.42473118279569894
                                            RT_DIALOG0x399000x144dataEnglishUnited States0.5216049382716049
                                            RT_DIALOG0x39a480x13cdataEnglishUnited States0.5506329113924051
                                            RT_DIALOG0x39b880x100dataEnglishUnited States0.5234375
                                            RT_DIALOG0x39c880x11cdataEnglishUnited States0.6056338028169014
                                            RT_DIALOG0x39da80xc4dataEnglishUnited States0.5918367346938775
                                            RT_DIALOG0x39e700x60dataEnglishUnited States0.7291666666666666
                                            RT_GROUP_ICON0x39ed00x14dataEnglishUnited States1.2
                                            RT_VERSION0x39ee80x20cdataEnglishUnited States0.5267175572519084
                                            RT_MANIFEST0x3a0f80x33fXML 1.0 document, ASCII text, with very long lines (831), with no line terminatorsEnglishUnited States0.5547533092659447

                                            Imports

                                            DLLImport
                                            KERNEL32.dllGetTickCount, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, SearchPathA, GetShortPathNameA, CreateFileA, GetFileSize, GetModuleFileNameA, ReadFile, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, Sleep, CloseHandle, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrlenA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrcpyA, lstrcatA, GetSystemDirectoryA, GetVersion, GetProcAddress, GlobalAlloc, CompareFileTime, SetFileTime, ExpandEnvironmentStringsA, lstrcmpiA, lstrcmpA, WaitForSingleObject, GlobalFree, GetExitCodeProcess, GetModuleHandleA, GetTempPathA, GetWindowsDirectoryA, LoadLibraryExA, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, WriteFile, FindClose, WritePrivateProfileStringA, MultiByteToWideChar, MulDiv, GetPrivateProfileStringA, FreeLibrary
                                            USER32.dllCreateWindowExA, EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, GetDC, SystemParametersInfoA, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, DestroyWindow, CreateDialogParamA, SetTimer, GetDlgItem, wsprintfA, SetForegroundWindow, ShowWindow, IsWindow, LoadImageA, SetWindowLongA, SetClipboardData, EmptyClipboard, OpenClipboard, EndPaint, PostQuitMessage, FindWindowExA, SendMessageTimeoutA, SetWindowTextA
                                            GDI32.dllSelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                            SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
                                            ADVAPI32.dllRegCloseKey, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegEnumValueA, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
                                            COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                            ole32.dllCoCreateInstance, CoTaskMemFree, OleInitialize, OleUninitialize
                                            VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                                            Possible Origin

                                            Language of compilation systemCountry where language is spokenMap
                                            EnglishUnited States

                                            Network Behavior

                                            Suricata IDS Alerts

                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                            2024-10-30T14:21:48.110475+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.861702142.250.185.238443TCP

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Oct 30, 2024 14:21:46.798369884 CET61702443192.168.2.8142.250.185.238
                                            Oct 30, 2024 14:21:46.798429012 CET44361702142.250.185.238192.168.2.8
                                            Oct 30, 2024 14:21:46.798497915 CET61702443192.168.2.8142.250.185.238
                                            Oct 30, 2024 14:21:46.814256907 CET61702443192.168.2.8142.250.185.238
                                            Oct 30, 2024 14:21:46.814295053 CET44361702142.250.185.238192.168.2.8
                                            Oct 30, 2024 14:21:47.673259974 CET44361702142.250.185.238192.168.2.8
                                            Oct 30, 2024 14:21:47.673384905 CET61702443192.168.2.8142.250.185.238
                                            Oct 30, 2024 14:21:47.674078941 CET44361702142.250.185.238192.168.2.8
                                            Oct 30, 2024 14:21:47.674233913 CET61702443192.168.2.8142.250.185.238
                                            Oct 30, 2024 14:21:47.733562946 CET61702443192.168.2.8142.250.185.238
                                            Oct 30, 2024 14:21:47.733607054 CET44361702142.250.185.238192.168.2.8
                                            Oct 30, 2024 14:21:47.734028101 CET44361702142.250.185.238192.168.2.8
                                            Oct 30, 2024 14:21:47.734102964 CET61702443192.168.2.8142.250.185.238
                                            Oct 30, 2024 14:21:47.739397049 CET61702443192.168.2.8142.250.185.238
                                            Oct 30, 2024 14:21:47.787331104 CET44361702142.250.185.238192.168.2.8
                                            Oct 30, 2024 14:21:48.110475063 CET44361702142.250.185.238192.168.2.8
                                            Oct 30, 2024 14:21:48.110542059 CET61702443192.168.2.8142.250.185.238
                                            Oct 30, 2024 14:21:48.110980988 CET61702443192.168.2.8142.250.185.238
                                            Oct 30, 2024 14:21:48.111037970 CET44361702142.250.185.238192.168.2.8
                                            Oct 30, 2024 14:21:48.111095905 CET61702443192.168.2.8142.250.185.238
                                            Oct 30, 2024 14:21:48.140018940 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:48.140058994 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:48.140141964 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:48.140531063 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:48.140538931 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:48.996130943 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:48.996494055 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:49.002285004 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:49.002320051 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:49.002619982 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:49.002909899 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:49.005892992 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:49.047328949 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.314568996 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.314661980 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.315912008 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.315983057 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.431416988 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.431484938 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.431508064 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.431813002 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.431823015 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.431941032 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.434360981 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.434627056 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.434648991 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.434730053 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.438640118 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.438771009 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.438779116 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.439030886 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.447541952 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.450563908 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.450577974 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.450700045 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.456240892 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.458751917 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.458765984 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.458897114 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.465092897 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.466562033 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.466573000 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.466662884 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.473861933 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.474616051 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.474630117 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.474767923 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.482582092 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.482640982 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.482660055 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.482764959 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.491450071 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.491868973 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.491874933 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.493668079 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.566941023 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.567012072 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.567039967 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.567045927 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.567055941 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.567107916 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.567137957 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.567153931 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.567209959 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.567219019 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.567256927 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.567265034 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.567301035 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.567305088 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.567389965 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.568104982 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.568150997 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.568212986 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.568223000 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.568435907 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.569238901 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.569371939 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.569402933 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.569945097 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.569952965 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.570004940 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.570004940 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.570141077 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.570291996 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.570297003 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.570485115 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.570707083 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.570867062 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.570873022 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.571248055 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.576809883 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.578048944 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.578069925 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.578247070 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.582612038 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.582756996 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.582767010 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.582801104 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.588635921 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.588867903 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.588876963 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.589031935 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.594799042 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.594877958 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.594891071 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.594933987 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.600641966 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.600874901 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.600881100 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.600950956 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.607480049 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.607733965 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.607742071 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.607789040 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.612693071 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.612904072 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.612914085 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.613130093 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.618576050 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.618834972 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.618844986 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.619100094 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.624766111 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.625612974 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.625629902 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.626566887 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.630456924 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.630635023 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.630641937 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.631263018 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.665575981 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.665630102 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.665657043 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.665762901 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.665901899 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.665901899 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.665910959 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.665956974 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.665972948 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.665972948 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.665982962 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.666059971 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.666060925 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.666446924 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.666484118 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.666508913 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.666517973 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.666517973 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.666527033 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.666560888 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.666616917 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.670825005 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.670928955 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.670936108 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.671039104 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.675810099 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.677212954 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.677233934 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.677398920 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.680953026 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.681003094 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.681010962 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.681133032 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.685966015 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.686619997 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.686636925 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.686690092 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.689168930 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.690560102 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.690567017 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.690622091 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.692138910 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.694601059 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.694608927 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.698348999 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.698431015 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.698431015 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.698445082 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.698607922 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.701116085 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.701498985 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.701504946 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.701625109 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.704076052 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.704201937 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.704215050 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.704466105 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.707065105 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.710441113 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.710556030 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.710561991 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.710690975 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.712893963 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.712968111 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.712976933 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.714674950 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.715723038 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.715817928 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.715823889 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.715923071 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.718599081 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.718683004 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.718693972 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.719281912 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.721338034 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.721415997 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.721452951 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.721503973 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.724186897 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.726675987 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.726685047 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.726979971 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.727710009 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.727718115 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.727871895 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.729885101 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.730592966 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.730603933 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.730669975 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.732501030 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.734576941 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.734586000 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.734647989 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.735136032 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.737941980 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.737956047 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.738002062 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.738020897 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.738109112 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.738116026 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.738212109 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.740552902 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.740672112 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.740679026 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.742651939 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.743365049 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.743881941 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.743889093 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.743998051 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.746059895 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.747107029 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.747126102 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.748413086 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.748503923 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.748569012 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.748584032 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.748655081 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.751085997 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.753688097 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.753701925 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.754216909 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.754265070 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.754265070 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.754282951 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.754328012 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.756208897 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.756365061 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.756372929 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.757936001 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.758886099 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.759896040 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.759907961 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.761418104 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.761461973 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.761506081 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.761506081 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.761518002 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.762562990 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.763838053 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.763947964 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.763974905 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.764049053 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.767258883 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.767591000 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.767597914 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.767685890 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.769135952 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.769893885 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.769902945 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.769968987 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.782565117 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.782607079 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.782629967 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.782645941 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.782666922 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.782711983 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.782722950 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.782722950 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.782730103 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.782783985 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.782783985 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.783586025 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.783812046 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.783821106 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.783935070 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.783979893 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.783984900 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.784034967 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.784034967 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.784040928 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.784291983 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.787134886 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.787240982 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.787245035 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.787369967 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.788391113 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.788551092 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.788554907 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.788829088 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.790824890 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.793138027 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.793180943 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.793205976 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.793221951 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.793253899 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.793253899 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.795371056 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.795869112 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.795878887 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.796025991 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.797765017 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.797868967 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.797874928 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.797946930 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.799787998 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.799839973 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.799890041 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.799926996 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.802252054 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.805448055 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.805465937 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.805552006 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.806612968 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.806694984 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.806709051 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.806771040 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.807570934 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.808619976 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.808631897 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.810566902 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.810570955 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.810652018 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.812469959 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.813514948 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.813596010 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.813621998 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.813627958 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.813673019 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.813719988 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.815705061 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.817585945 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.817612886 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.818609953 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.818614006 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.818662882 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.819550991 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.821476936 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.821532965 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.821532965 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.821541071 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.822621107 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.822628021 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.822705984 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.823457956 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.825404882 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.825474977 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.825484037 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.826617002 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.827177048 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.829221010 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.829267025 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.829288006 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.829298973 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.829338074 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.829416990 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.830863953 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.832866907 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.832885981 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.832979918 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.832984924 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.833039045 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.833039045 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.834594011 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.834646940 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.834654093 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.834692001 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.836361885 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.836594105 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.836600065 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.836776972 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.838054895 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.838089943 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.838124990 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.838124990 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.838130951 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.838305950 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.838305950 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.838330984 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.838474035 CET44361703172.217.16.193192.168.2.8
                                            Oct 30, 2024 14:21:51.838556051 CET61703443192.168.2.8172.217.16.193
                                            Oct 30, 2024 14:21:51.838660955 CET61703443192.168.2.8172.217.16.193

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Oct 30, 2024 14:20:12.291225910 CET53596501.1.1.1192.168.2.8
                                            Oct 30, 2024 14:20:13.923938990 CET53593531.1.1.1192.168.2.8
                                            Oct 30, 2024 14:21:46.784040928 CET6520053192.168.2.81.1.1.1
                                            Oct 30, 2024 14:21:46.792172909 CET53652001.1.1.1192.168.2.8
                                            Oct 30, 2024 14:21:48.130278111 CET6490853192.168.2.81.1.1.1
                                            Oct 30, 2024 14:21:48.138732910 CET53649081.1.1.1192.168.2.8

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                            Oct 30, 2024 14:21:46.784040928 CET192.168.2.81.1.1.10x57fdStandard query (0)drive.google.comA (IP address)IN (0x0001)false
                                            Oct 30, 2024 14:21:48.130278111 CET192.168.2.81.1.1.10x65d8Standard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                            Oct 30, 2024 14:21:46.792172909 CET1.1.1.1192.168.2.80x57fdNo error (0)drive.google.com142.250.185.238A (IP address)IN (0x0001)false
                                            Oct 30, 2024 14:21:48.138732910 CET1.1.1.1192.168.2.80x65d8No error (0)drive.usercontent.google.com172.217.16.193A (IP address)IN (0x0001)false

                                            HTTP Request Dependency Graph

                                            • drive.google.com
                                            • drive.usercontent.google.com

                                            HTTPS Proxied Packets

                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            0192.168.2.861702142.250.185.2384434648C:\Users\user\Desktop\Ppto.24265.exe
                                            TimestampBytes transferredDirectionData
                                            2024-10-30 13:21:47 UTC216OUTGET /uc?export=download&id=1HjhLFhBl9QJWRF-emMzs9wHbwEMU7xFm HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                            Host: drive.google.com
                                            Cache-Control: no-cache
                                            2024-10-30 13:21:48 UTC1610INHTTP/1.1 303 See Other
                                            Content-Type: application/binary
                                            Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                            Pragma: no-cache
                                            Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                            Date: Wed, 30 Oct 2024 13:21:47 GMT
                                            Location: https://drive.usercontent.google.com/download?id=1HjhLFhBl9QJWRF-emMzs9wHbwEMU7xFm&export=download
                                            Strict-Transport-Security: max-age=31536000
                                            Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                            Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                            Content-Security-Policy: script-src 'nonce-e60ohdNy5sUHBN5Q3Hce9g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                            Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                            Cross-Origin-Opener-Policy: same-origin
                                            Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                            Server: ESF
                                            Content-Length: 0
                                            X-XSS-Protection: 0
                                            X-Frame-Options: SAMEORIGIN
                                            X-Content-Type-Options: nosniff
                                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                            Connection: close


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            1192.168.2.861703172.217.16.1934434648C:\Users\user\Desktop\Ppto.24265.exe
                                            TimestampBytes transferredDirectionData
                                            2024-10-30 13:21:48 UTC258OUTGET /download?id=1HjhLFhBl9QJWRF-emMzs9wHbwEMU7xFm&export=download HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                            Cache-Control: no-cache
                                            Host: drive.usercontent.google.com
                                            Connection: Keep-Alive
                                            2024-10-30 13:21:51 UTC4909INHTTP/1.1 200 OK
                                            Content-Type: application/octet-stream
                                            Content-Security-Policy: sandbox
                                            Content-Security-Policy: default-src 'none'
                                            Content-Security-Policy: frame-ancestors 'none'
                                            X-Content-Security-Policy: sandbox
                                            Cross-Origin-Opener-Policy: same-origin
                                            Cross-Origin-Embedder-Policy: require-corp
                                            Cross-Origin-Resource-Policy: same-site
                                            X-Content-Type-Options: nosniff
                                            Content-Disposition: attachment; filename="DXTgMDX165.bin"
                                            Access-Control-Allow-Origin: *
                                            Access-Control-Allow-Credentials: false
                                            Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED]
                                            Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                            Accept-Ranges: bytes
                                            Content-Length: 288832
                                            Last-Modified: Tue, 29 Oct 2024 22:26:33 GMT
                                            X-GUploader-UploadID: AHmUCY0oGNSJgBd8dHOgYWE7SjaAeuDa9Oc93qM9_8-AkVq0zCrcMdCNLVrmMr_3TamnIf0HDcs
                                            Date: Wed, 30 Oct 2024 13:21:51 GMT
                                            Expires: Wed, 30 Oct 2024 13:21:51 GMT
                                            Cache-Control: private, max-age=0
                                            X-Goog-Hash: crc32c=zRqyxw==
                                            Server: UploadServer
                                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                            Connection: close
                                            2024-10-30 13:21:51 UTC4909INData Raw: 52 2f 8c f0 6c 4d 84 77 82 2c d4 0e 3f dd f2 b7 00 87 1f 1c 83 47 6e ca 9f 5d c7 22 ef a2 54 93 ff 3f ff 73 eb c1 cd f5 9f 5e 25 a9 f9 5b 79 f7 86 d9 33 c9 5e a5 c6 2f 52 a0 0e 90 bb 14 3a bc 9a 45 63 e8 fb fa 18 0b 63 ed a2 17 78 04 aa 98 92 59 fa 7f e1 c3 bf dd b1 1a 26 94 ae 12 cc f6 65 60 e7 5a 58 18 c7 95 87 cf e3 68 78 9c 12 ca cf fe 02 8a 6e da 34 0f b8 b1 14 75 4b 05 b9 db 77 46 14 75 d3 5d 8b e9 45 b6 7b df 76 5f 2a bb b1 9a 86 26 a1 9c cb ec c4 09 ac 9e 65 78 ed 39 cc c6 6d a5 f9 50 91 15 cf 13 09 b3 11 44 80 6d 76 e3 0b 51 5c 02 fc 48 25 a5 a6 70 71 fa 75 99 5d c8 68 2b 69 1c d0 64 17 ee 73 b6 75 08 51 8c a3 42 27 17 06 47 63 94 ae 71 20 a1 27 53 93 d3 eb f9 00 69 80 79 a1 bb 88 27 f5 4f 5a 4e bb 76 36 b4 2b a3 db 74 9a 65 2e e7 26 2f 43 a8 63
                                            Data Ascii: R/lMw,?Gn]"T?s^%[y3^/R:EccxY&e`ZXhxn4uKwFu]E{v_*&ex9mPDmvQ\H%pqu]h+idsuQB'Gcq 'Siy'OZNv6+te.&/Cc
                                            2024-10-30 13:21:51 UTC4880INData Raw: f7 c0 d8 2a fa 83 9d 9b 94 44 a5 57 55 8c 75 8a 30 48 7c 15 f9 29 1c 86 d9 79 1a fe 85 7a 07 32 8a cc 16 9f 1f 30 db 0a b1 f8 cc 90 a8 15 7a 1b db df a7 c7 46 b3 5a 49 84 6a 18 33 9e df 66 bc 8b 08 8e c0 26 73 16 de 18 44 3a 67 42 1a d7 08 f0 42 ab ac 37 cb a4 3c 83 41 bd 3c bf 14 7e 70 55 eb db 11 28 f3 fa 0f db 08 2c 2b d3 b3 0a 66 d9 69 f3 37 54 b6 09 99 6b 3f 48 f1 47 05 fd c4 8e bc 5f 40 55 fa 0e 8e 33 cb a8 68 04 af 29 4a e7 45 9f a8 fd 8d 65 24 1b 37 9d 1c 86 26 d1 0f f8 f3 d6 48 a2 66 0b 5f 01 d6 65 29 d0 66 c5 e4 80 f4 e5 66 f0 b4 92 17 ac 89 46 2a 2f 24 0b fa 43 b2 94 ee 64 e2 f5 59 5f b2 df 04 4c 1c 4a 13 91 6a 0e 3c f4 19 9b 2f 48 c9 dd dd 01 8a e7 24 75 ad 90 5a de 67 f7 4c 42 0d 5b 91 fc 63 34 c1 b5 e6 e1 ff cf 4f 5f 80 99 72 64 1f b3 f6 e1
                                            Data Ascii: *DWUu0H|)yz20zFZIj3f&sD:gBB7<A<~pU(,+fi7Tk?HG_@U3h)JEe$7&Hf_e)ffF*/$CdY_LJj</H$uZgLB[c4O_rd
                                            2024-10-30 13:21:51 UTC1323INData Raw: 03 bc c1 ed b9 c3 08 9e f1 2a a6 d2 82 b5 80 cc 68 b0 e7 d7 4a a2 69 fa f8 6b 8f 35 88 22 85 e9 98 ba 41 ce d5 39 26 47 27 fd 3d ea 84 51 b3 a3 43 4e 5d eb 3d 8a 54 c2 9e 12 b5 3d 90 e4 f9 55 8c db dc 8a ed 65 20 9d 1d cc d8 07 e9 00 0b a7 02 34 a7 f6 1b 9b 81 68 7d 4b 87 a8 c5 27 75 1a 92 db ac a0 1a dc a1 eb d3 fd 2e 82 54 c7 17 b7 88 7b 95 b4 3f e7 e4 ab 22 c4 ee fd a6 bb ae 20 f1 b1 7c eb c5 9e ea fb 8c d3 74 06 ef 4d 92 f4 d5 01 7f 25 ea b1 1d 55 df e6 0f 40 02 e0 ac 20 72 ec aa 0d f1 21 e0 d5 04 ca 78 9f d1 9b 54 f8 2c fe 75 0a c2 e3 4e f1 2f df 3e 6b c9 0b 22 0b 12 30 8b de e4 ad b9 9d a5 82 ab 51 e8 03 4c 89 f2 c5 15 d6 3c 76 02 45 90 d5 93 7f 14 f6 62 e6 5a 5a 69 75 21 53 cf e9 56 f7 83 7e 4c b7 cf 32 7d 4d d7 72 92 b1 f8 47 62 da be be 1f dd 46
                                            Data Ascii: *hJik5"A9&G'=QCN]=T=Ue 4h}K'u.T{?" |tM%U@ r!xT,uN/>k"0QL<vEbZZiu!SV~L2}MrGbF
                                            2024-10-30 13:21:51 UTC1378INData Raw: cf 73 c6 c4 bf 29 91 18 5c 92 95 8a a2 d1 97 77 2e 2e 98 a2 d1 ec 2e 5b 30 11 45 65 60 8d 98 a8 ce f8 79 f1 1b db 3d e9 a4 62 8b 62 1b d2 81 c4 09 cf b6 79 47 a1 6e cd 30 3f d9 1a f3 fc 15 3c d9 fc 2d 44 06 02 a0 ba 5b 7b 74 ef 5d 61 cb ad 14 fe 6a f2 46 5f a9 24 ed ac 23 73 dd ba 79 a1 89 e9 95 33 d9 e4 cf 98 34 e3 91 4c 5f 91 e8 55 cd fc 28 b6 3d 84 72 9e 5c 55 34 71 1d 8b 2e 30 32 f9 f4 e0 39 69 d9 88 a2 3c 80 35 49 59 c0 5e 5c 45 95 5c d3 77 ab d4 d7 bb 05 4c dc 02 56 fc 4e 83 e1 26 ee b7 da 42 95 07 59 1f 1d 9c f1 5d 62 9d 97 52 40 0d 66 ae d6 96 7e 95 bf 9a 53 67 6e b7 f3 13 ab 9b f9 de 8a 7d 1c e8 31 78 f6 fd 58 38 58 db 09 cd 65 07 4f 45 ca b7 79 b9 bd 0e 1a 69 35 4b 2a 60 23 11 eb 95 6f 7a 8d 75 c1 92 78 76 b1 c1 f1 d7 b8 04 a7 f6 b7 2f 8d ce 14
                                            Data Ascii: s)\w...[0Ee`y=bbyGn0?<-D[{t]ajF_$#sy34L_U(=r\U4q.029i<5IY^\E\wLVN&BY]bR@f~Sgn}1xX8XeOEyi5K*`#ozuxv/
                                            2024-10-30 13:21:51 UTC1378INData Raw: ff e2 5c f5 29 84 a0 8f a8 41 80 a6 b8 c8 91 14 b8 a1 22 5a 15 bb 12 f4 ac 67 39 8e 7b 01 a3 7e 56 17 33 e5 ea ba 61 b8 72 a3 bc d0 1d c3 70 e3 df 7e eb b8 de 4e af e0 aa 2f 7e f1 44 71 d2 e1 cb b2 42 ba 06 7b 69 51 68 f4 18 45 a9 a4 ff 65 93 ef 86 41 41 06 4a 90 13 ec 35 32 c3 d2 4c 5a c2 ab 23 e4 8c 72 1d ad 82 a3 a0 9b 48 7d e3 c3 ab b5 2b 97 2a 5b 3d df 28 b8 85 af ce 39 9b a1 4d 1b 60 1a 4b 85 f5 f1 d9 18 eb a8 b9 b3 9c 58 44 dd ef 26 03 dc 35 19 b4 4b 92 c8 62 ac e4 7c d1 b5 ed ac be 81 f5 69 fe 98 c0 e1 c2 1a 4e 24 f3 70 a2 1b f2 43 ae 56 5f 0d 2f eb d1 af 44 23 66 94 b8 a3 51 cd 09 3e 38 fc e9 63 ca 8b 15 0c 36 ae ea 71 10 12 47 47 3e 29 85 d8 96 56 4c 2d 7e 48 d7 82 01 23 37 82 92 2e ab 92 8a 87 5c 7f 4b e9 a8 a5 06 da ed 44 39 d5 ce 43 7a 23 a2
                                            Data Ascii: \)A"Zg9{~V3arp~N/~DqB{iQhEeAAJ52LZ#rH}+*[=(9M`KXD&5Kb|iN$pCV_/D#fQ>8c6qGG>)VL-~H#7.\KD9Cz#
                                            2024-10-30 13:21:51 UTC1378INData Raw: a1 ad 1b 3e bf 87 b6 c6 1e 2b 6d c6 1f a8 54 cb 66 e3 90 7f db 27 d5 d9 25 67 44 53 30 7a c1 9e 0e 8e f8 6f e0 32 c5 44 eb 7f 5c de 2b d3 77 4c b6 e1 db 08 ec bf b4 b1 b6 67 5c 2c d2 17 9d 59 df 32 12 ac 51 96 71 f7 9c c5 f4 8b 14 03 fc 73 2d 89 3a 06 70 f8 00 81 a4 b2 2d 5a a7 46 d9 d8 c5 94 82 83 f0 24 a2 94 34 c3 4b 29 6c 1d f8 02 42 8b a7 92 dd 63 fe 0a af f5 3b 3d c6 52 1b a4 06 14 4a aa 70 ef e7 3e ca 45 85 d3 86 df b1 03 00 80 b3 47 74 ee bd ee 44 20 32 47 d1 b5 40 68 86 4e cd 20 85 ee 61 6c 3f 7a e0 70 c1 2a 34 24 da 93 d8 09 8d 27 79 0b 60 b7 39 ba 16 ee cd 0c ff 2c a4 d3 4e b5 97 c0 2f 29 29 33 1b c4 04 3d b9 5d a5 31 84 57 6b 88 72 d7 2f 3b e0 f7 a7 bd b6 cd 16 fe 5c 7f 83 b7 ad fa c3 4b 0f b5 bb 75 77 41 59 f4 72 8c a4 0a c1 41 b9 83 6f 72 18
                                            Data Ascii: >+mTf'%gDS0zo2D\+wLg\,Y2Qqs-:p-ZF$4K)lBc;=RJp>EGtD 2G@hN al?zp*4$'y`9,N/))3=]1Wkr/;\KuwAYrAor
                                            2024-10-30 13:21:51 UTC1378INData Raw: ba ff 8c 82 66 3c 5f 1a 78 d3 68 d7 1b f2 12 21 df 6f 55 f3 22 79 ca 62 2a cc df b7 59 61 9c ab 86 d8 b8 b6 54 52 9e 11 18 21 b0 58 40 e5 d4 8d 1b ee 30 65 12 fd 48 5b e0 26 2f ea 41 a2 f1 6f 4e de 10 a1 1f cb 18 19 c9 e8 aa e0 d6 c8 2e f0 69 de 6c 1a d1 66 ea 59 c0 34 74 05 52 ab f4 86 d4 8e c4 a0 f7 d5 da 85 6a 54 f3 82 47 f7 03 48 a2 99 f3 2a 6b 9a 84 ce 9f 0a fb 21 18 d6 9b 4f ff 8f 13 73 81 ed e2 36 88 ed 50 8e 2a 83 86 cb 36 41 38 5b 8a 8e bb 31 a9 04 db 8a 21 76 d6 87 af c1 81 c6 ea 3c a8 3d 00 9b 7a da 3c 51 0f e3 5b 72 9a eb dc 06 90 e7 8f 88 8d f5 ad d1 1d f9 f4 4e 91 e3 63 32 dd e2 5f 1f cf 9a 84 95 05 19 2d ac 8e 5a 0a ba f6 58 40 d2 31 0a 36 8e 3b 83 c5 79 71 bd 5e cf f6 39 b9 f8 34 04 0c 1e ca 6a 19 06 9e a4 42 25 4c ff 7c 47 af 28 ed 48 4c
                                            Data Ascii: f<_xh!oU"yb*YaTR!X@0eH[&/AoN.ilfY4tRjTGH*k!Os6P*6A8[1!v<=z<Q[rNc2_-ZX@16;yq^94jB%L|G(HL
                                            2024-10-30 13:21:51 UTC1378INData Raw: 06 8a a2 87 52 f8 da 9d be 8d a7 98 50 35 1b 14 e8 91 62 08 63 c7 d1 87 88 42 62 db e4 95 9e 24 1a 20 c4 1d b6 75 5e b8 3f 90 bf 0a 28 21 a2 b9 c8 1d 79 f5 57 74 82 da 35 6c b7 db 22 c4 6f b3 ec 58 6c 1c ab cb ab b0 f6 f6 d7 3b 1b 8a 45 d9 e4 b0 d5 5e df 99 d9 f8 30 e1 89 78 64 9d 9b 53 f8 4c d4 92 18 a1 aa 87 d1 8d 84 54 c8 ad 64 27 53 f9 50 a2 76 e8 c1 18 d0 69 6a c0 c9 f9 4e 37 1e ea fc 2c 76 b3 97 f4 24 82 21 96 36 93 6d 72 56 8c ca 5f f9 e1 4f 7b 45 c6 5e 2d 94 d0 7a 3f f3 a5 8e 77 06 eb 9a d7 f0 97 b2 bd 6f 78 ea ba bb 16 d5 dd f0 f4 62 7e 15 f4 07 ca 9c c0 05 72 29 b9 b9 8f 49 e1 20 5c e5 e9 53 a1 af b0 ef b9 68 bf cf ce d1 e6 90 b2 b6 22 fd 31 b8 5f 20 59 3e f1 ff ec d8 35 f1 f7 02 2f 04 76 c1 2b 16 f7 24 85 5e be 51 b9 62 97 48 a4 75 36 16 8e 4b
                                            Data Ascii: RP5bcBb$ u^?(!yWt5l"oXl;E^0xdSLTd'SPvijN7,v$!6mrV_O{E^-z?woxb~r)I \Sh"1_ Y>5/v+$^QbHu6K
                                            2024-10-30 13:21:51 UTC1378INData Raw: 59 cf 21 08 0c ae 78 7a 7d ae e8 e3 64 e6 16 3f 14 4f 90 1b c4 a5 5b 1d fd ac f2 03 ec 6a e3 3d 2f be 12 61 5b 61 d5 b1 86 79 e3 31 73 f6 9e 56 2b de 7e 8d cf 55 43 32 38 7d d5 b5 ac be 74 69 2e 80 f9 7d b2 30 0f d7 dc 69 a6 87 10 ff 07 2b ed 03 6b fa ed 7f bc 8a c2 a2 c0 ee 1a 07 c8 db 59 dc 08 4c 0b d8 21 2f 41 0e af 53 8c 26 ed b5 f7 33 0e e2 9a 96 6e 0c 8e 2b 57 6f b5 60 6c 0a 3b 83 99 a6 5d 1f 9e df 0a 63 9d 97 2e 87 50 57 0c 5a 13 00 9a 77 0f e2 61 f7 55 3e 3f 35 16 4f 61 c6 0e fa a3 37 93 f1 1b b0 55 48 fc df 56 4a d2 3c 7e 52 59 b5 45 70 0a 86 ee 9b 86 0d ad 53 c1 47 25 10 21 2f 07 85 ce 3d 39 23 46 7d e3 14 c3 ad 32 c3 07 61 14 3f 6c 66 ea 1b a7 39 c6 45 16 4a 2a 28 22 d8 5f 62 a5 44 a3 29 7c dc 50 d6 1b 22 7c 42 f7 73 e7 40 09 85 a3 8f 6e e5 70
                                            Data Ascii: Y!xz}d?O[j=/a[ay1sV+~UC28}ti.}0i+kYL!/AS&3n+Wo`l;]c.PWZwaU>?5Oa7UHVJ<~RYEpSG%!/=9#F}2a?lf9EJ*("_bD)|P"|Bs@np
                                            2024-10-30 13:21:51 UTC1378INData Raw: 4d e9 af ff 8d db e1 d8 31 03 fc 41 53 c8 e3 3a ea b6 51 14 be 99 2b fc 4a 13 23 45 30 99 76 a7 fd f5 52 93 2e ec 13 54 41 6c 61 6a e1 bc f8 64 0d 27 34 7d 1b f0 54 c6 95 7e 79 dc 8f 34 10 bc 37 6e 3c ca 2b 6b 57 07 af b6 33 e1 c6 26 1e 03 21 eb f2 e4 6d ef 02 26 1a 19 63 4b 5f c1 98 c5 01 05 b1 8f b9 c3 59 7c 27 77 f3 12 2d c8 ab 11 84 8f ec c9 eb 5e f0 a3 8d 84 dd 7f 8d 0e 39 f0 23 97 8b ac c5 3a 23 78 6a 34 ac 91 8e 85 93 20 4a ef 7e 31 8e 74 0e be eb be f4 c3 5b 0c 06 5b 71 69 68 2f fc 3c a9 14 ab 62 b5 e8 a9 12 a1 6e 88 3c ec 5a 25 1d c6 eb 9a f0 13 08 75 d4 de 09 ff 1c a6 d7 3b 7f 43 44 9b a4 61 1c a7 e1 45 35 e2 e1 9c 44 c5 2f 41 d4 82 30 73 5d dc 9a f4 1c ac aa 55 98 2f 02 5b f9 5a a6 32 c1 e4 ea f1 2e eb 03 87 76 d7 de b8 7f f3 0a 3e c1 ee 4a d6
                                            Data Ascii: M1AS:Q+J#E0vR.TAlajd'4}T~y47n<+kW3&!m&cK_Y|'w-^9#:#xj4 J~1t[[qih/<bn<Z%u;CDaE5D/A0s]U/[Z2.v>J


                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:09:19:52
                                            Start date:30/10/2024
                                            Path:C:\Users\user\Desktop\Ppto.24265.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\Ppto.24265.exe"
                                            Imagebase:0x400000
                                            File size:784'080 bytes
                                            MD5 hash:E1950E5F53B57CAA57A7D2FA03F82B3D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.2405366164.00000000056C7000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:5
                                            Start time:09:21:30
                                            Start date:30/10/2024
                                            Path:C:\Users\user\Desktop\Ppto.24265.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\Ppto.24265.exe"
                                            Imagebase:0x400000
                                            File size:784'080 bytes
                                            MD5 hash:E1950E5F53B57CAA57A7D2FA03F82B3D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3193311561.0000000035CC0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:low
                                            Has exited:true

                                            Disassembly

                                            Reset < >

                                              Execution Graph

                                              Execution Coverage:19.5%
                                              Dynamic/Decrypted Code Coverage:14.4%
                                              Signature Coverage:21.1%
                                              Total number of Nodes:1469
                                              Total number of Limit Nodes:44
                                              execution_graph 4896 10001000 4899 1000101b 4896->4899 4906 100014bb 4899->4906 4901 10001020 4902 10001024 4901->4902 4903 10001027 GlobalAlloc 4901->4903 4904 100014e2 3 API calls 4902->4904 4903->4902 4905 10001019 4904->4905 4908 100014c1 4906->4908 4907 100014c7 4907->4901 4908->4907 4909 100014d3 GlobalFree 4908->4909 4909->4901 4910 4022c0 4911 4022f0 4910->4911 4912 4022c5 4910->4912 4914 4029fd 18 API calls 4911->4914 4913 402b07 19 API calls 4912->4913 4915 4022cc 4913->4915 4916 4022f7 4914->4916 4917 4029fd 18 API calls 4915->4917 4920 40230d 4915->4920 4921 402a3d RegOpenKeyExA 4916->4921 4919 4022dd RegDeleteValueA RegCloseKey 4917->4919 4919->4920 4928 402a68 4921->4928 4930 402ab4 4921->4930 4922 402a8e RegEnumKeyA 4923 402aa0 RegCloseKey 4922->4923 4922->4928 4925 406061 3 API calls 4923->4925 4924 402ac5 RegCloseKey 4924->4930 4927 402ab0 4925->4927 4926 402a3d 3 API calls 4926->4928 4929 402ae0 RegDeleteKeyA 4927->4929 4927->4930 4928->4922 4928->4923 4928->4924 4928->4926 4929->4930 4930->4920 4931 4019c0 4932 4029fd 18 API calls 4931->4932 4933 4019c7 4932->4933 4934 4029fd 18 API calls 4933->4934 4935 4019d0 4934->4935 4936 4019d7 lstrcmpiA 4935->4936 4937 4019e9 lstrcmpA 4935->4937 4938 4019dd 4936->4938 4937->4938 4939 402b42 4940 402b51 SetTimer 4939->4940 4941 402b6a 4939->4941 4940->4941 4942 402bb8 4941->4942 4943 402bbe MulDiv 4941->4943 4944 402b78 wsprintfA SetWindowTextA SetDlgItemTextA 4943->4944 4944->4942 4946 402645 4947 4029fd 18 API calls 4946->4947 4948 40264c FindFirstFileA 4947->4948 4949 40266f 4948->4949 4950 40265f 4948->4950 4954 405c94 wsprintfA 4949->4954 4952 402676 4955 405d36 lstrcpynA 4952->4955 4954->4952 4955->4950 4956 403745 4957 403750 4956->4957 4958 403754 4957->4958 4959 403757 GlobalAlloc 4957->4959 4959->4958 3866 4023c8 3877 402b07 3866->3877 3868 4023d2 3881 4029fd 3868->3881 3871 4023e5 RegQueryValueExA 3872 40240b RegCloseKey 3871->3872 3873 402405 3871->3873 3874 402663 3872->3874 3873->3872 3887 405c94 wsprintfA 3873->3887 3878 4029fd 18 API calls 3877->3878 3879 402b20 3878->3879 3880 402b2e RegOpenKeyExA 3879->3880 3880->3868 3882 402a09 3881->3882 3888 405d58 3882->3888 3885 4023db 3885->3871 3885->3874 3887->3872 3904 405d65 3888->3904 3889 405f88 3890 402a2a 3889->3890 3922 405d36 lstrcpynA 3889->3922 3890->3885 3906 405fa1 3890->3906 3892 405e06 GetVersion 3892->3904 3893 405f5f lstrlenA 3893->3904 3896 405d58 10 API calls 3896->3893 3898 405e7e GetSystemDirectoryA 3898->3904 3899 405e91 GetWindowsDirectoryA 3899->3904 3900 405fa1 5 API calls 3900->3904 3901 405d58 10 API calls 3901->3904 3902 405f08 lstrcatA 3902->3904 3903 405ec5 SHGetSpecialFolderLocation 3903->3904 3905 405edd SHGetPathFromIDListA CoTaskMemFree 3903->3905 3904->3889 3904->3892 3904->3893 3904->3896 3904->3898 3904->3899 3904->3900 3904->3901 3904->3902 3904->3903 3915 405c1d RegOpenKeyExA 3904->3915 3920 405c94 wsprintfA 3904->3920 3921 405d36 lstrcpynA 3904->3921 3905->3904 3907 405fad 3906->3907 3909 40600a CharNextA 3907->3909 3911 406015 3907->3911 3913 405ff8 CharNextA 3907->3913 3914 406005 CharNextA 3907->3914 3923 4057f1 3907->3923 3908 406019 CharPrevA 3908->3911 3909->3907 3909->3911 3911->3908 3912 406034 3911->3912 3912->3885 3913->3907 3914->3909 3916 405c50 RegQueryValueExA 3915->3916 3917 405c8e 3915->3917 3918 405c71 RegCloseKey 3916->3918 3917->3904 3918->3917 3920->3904 3921->3904 3922->3890 3924 4057f7 3923->3924 3925 40580a 3924->3925 3926 4057fd CharNextA 3924->3926 3925->3907 3926->3924 4977 401ccc GetDlgItem GetClientRect 4978 4029fd 18 API calls 4977->4978 4979 401cfc LoadImageA SendMessageA 4978->4979 4980 402892 4979->4980 4981 401d1a DeleteObject 4979->4981 4981->4980 4982 1000180d 4983 10001830 4982->4983 4984 10001860 GlobalFree 4983->4984 4985 10001872 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem 4983->4985 4984->4985 4986 10001266 2 API calls 4985->4986 4987 100019e3 GlobalFree GlobalFree 4986->4987 4140 1000270f 4141 1000275f 4140->4141 4142 1000271f VirtualProtect 4140->4142 4142->4141 4995 4024d1 4996 4024d6 4995->4996 4997 4024e7 4995->4997 4998 4029e0 18 API calls 4996->4998 4999 4029fd 18 API calls 4997->4999 5001 4024dd 4998->5001 5000 4024ee lstrlenA 4999->5000 5000->5001 5002 40250d WriteFile 5001->5002 5003 402663 5001->5003 5002->5003 4143 4025d3 4144 4025da 4143->4144 4146 40283f 4143->4146 4145 4029e0 18 API calls 4144->4145 4147 4025e5 4145->4147 4148 4025ec SetFilePointer 4147->4148 4148->4146 4149 4025fc 4148->4149 4151 405c94 wsprintfA 4149->4151 4151->4146 4222 4014d6 4223 4029e0 18 API calls 4222->4223 4224 4014dc Sleep 4223->4224 4226 402892 4224->4226 4627 401dd8 4628 4029fd 18 API calls 4627->4628 4629 401dde 4628->4629 4630 4029fd 18 API calls 4629->4630 4631 401de7 4630->4631 4632 4029fd 18 API calls 4631->4632 4633 401df0 4632->4633 4634 4029fd 18 API calls 4633->4634 4635 401df9 4634->4635 4636 401423 25 API calls 4635->4636 4637 401e00 ShellExecuteA 4636->4637 4638 401e2d 4637->4638 5004 1000161a 5005 10001649 5004->5005 5006 10001a5d 18 API calls 5005->5006 5007 10001650 5006->5007 5008 10001663 5007->5008 5009 10001657 5007->5009 5011 1000168a 5008->5011 5012 1000166d 5008->5012 5010 10001266 2 API calls 5009->5010 5013 10001661 5010->5013 5015 10001690 5011->5015 5016 100016b4 5011->5016 5014 100014e2 3 API calls 5012->5014 5018 10001672 5014->5018 5019 10001559 3 API calls 5015->5019 5017 100014e2 3 API calls 5016->5017 5017->5013 5020 10001559 3 API calls 5018->5020 5021 10001695 5019->5021 5023 10001678 5020->5023 5022 10001266 2 API calls 5021->5022 5024 1000169b GlobalFree 5022->5024 5025 10001266 2 API calls 5023->5025 5024->5013 5026 100016af GlobalFree 5024->5026 5027 1000167e GlobalFree 5025->5027 5026->5013 5027->5013 5028 40155b 5029 401577 ShowWindow 5028->5029 5030 40157e 5028->5030 5029->5030 5031 402892 5030->5031 5032 40158c ShowWindow 5030->5032 5032->5031 5040 401edc 5041 4029fd 18 API calls 5040->5041 5042 401ee3 GetFileVersionInfoSizeA 5041->5042 5043 401f06 GlobalAlloc 5042->5043 5045 401f5c 5042->5045 5044 401f1a GetFileVersionInfoA 5043->5044 5043->5045 5044->5045 5046 401f2b VerQueryValueA 5044->5046 5046->5045 5047 401f44 5046->5047 5051 405c94 wsprintfA 5047->5051 5049 401f50 5052 405c94 wsprintfA 5049->5052 5051->5049 5052->5045 5053 40515d 5054 405308 5053->5054 5055 40517f GetDlgItem GetDlgItem GetDlgItem 5053->5055 5057 405310 GetDlgItem CreateThread CloseHandle 5054->5057 5058 405338 5054->5058 5098 404021 SendMessageA 5055->5098 5057->5058 5060 405366 5058->5060 5062 405387 5058->5062 5063 40534e ShowWindow ShowWindow 5058->5063 5059 4051ef 5067 4051f6 GetClientRect GetSystemMetrics SendMessageA SendMessageA 5059->5067 5061 4053c1 5060->5061 5064 405376 5060->5064 5065 40539a ShowWindow 5060->5065 5061->5062 5074 4053ce SendMessageA 5061->5074 5066 404053 8 API calls 5062->5066 5100 404021 SendMessageA 5063->5100 5069 403fc5 SendMessageA 5064->5069 5070 4053ba 5065->5070 5071 4053ac 5065->5071 5080 405393 5066->5080 5072 405264 5067->5072 5073 405248 SendMessageA SendMessageA 5067->5073 5069->5062 5076 403fc5 SendMessageA 5070->5076 5075 40501f 25 API calls 5071->5075 5077 405277 5072->5077 5078 405269 SendMessageA 5072->5078 5073->5072 5079 4053e7 CreatePopupMenu 5074->5079 5074->5080 5075->5070 5076->5061 5081 403fec 19 API calls 5077->5081 5078->5077 5082 405d58 18 API calls 5079->5082 5084 405287 5081->5084 5083 4053f7 AppendMenuA 5082->5083 5085 405415 GetWindowRect 5083->5085 5086 405428 TrackPopupMenu 5083->5086 5087 405290 ShowWindow 5084->5087 5088 4052c4 GetDlgItem SendMessageA 5084->5088 5085->5086 5086->5080 5089 405444 5086->5089 5090 4052b3 5087->5090 5091 4052a6 ShowWindow 5087->5091 5088->5080 5092 4052eb SendMessageA SendMessageA 5088->5092 5093 405463 SendMessageA 5089->5093 5099 404021 SendMessageA 5090->5099 5091->5090 5092->5080 5093->5093 5094 405480 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 5093->5094 5096 4054a2 SendMessageA 5094->5096 5096->5096 5097 4054c4 GlobalUnlock SetClipboardData CloseClipboard 5096->5097 5097->5080 5098->5059 5099->5088 5100->5060 5106 4018e3 5107 40191a 5106->5107 5108 4029fd 18 API calls 5107->5108 5109 40191f 5108->5109 5110 4055f6 71 API calls 5109->5110 5111 401928 5110->5111 5112 4043e3 5113 4043f3 5112->5113 5114 404419 5112->5114 5115 403fec 19 API calls 5113->5115 5116 404053 8 API calls 5114->5116 5117 404400 SetDlgItemTextA 5115->5117 5118 404425 5116->5118 5117->5114 5119 4018e6 5120 4029fd 18 API calls 5119->5120 5121 4018ed 5120->5121 5122 40554a MessageBoxIndirectA 5121->5122 5123 4018f6 5122->5123 3927 401f68 3928 401f7a 3927->3928 3929 402028 3927->3929 3930 4029fd 18 API calls 3928->3930 3932 401423 25 API calls 3929->3932 3931 401f81 3930->3931 3933 4029fd 18 API calls 3931->3933 3937 402181 3932->3937 3934 401f8a 3933->3934 3935 401f92 GetModuleHandleA 3934->3935 3936 401f9f LoadLibraryExA 3934->3936 3935->3936 3938 401faf GetProcAddress 3935->3938 3936->3929 3936->3938 3939 401ffb 3938->3939 3940 401fbe 3938->3940 3993 40501f 3939->3993 3942 401fc6 3940->3942 3943 401fdd 3940->3943 3990 401423 3942->3990 3948 100016bd 3943->3948 3945 401fce 3945->3937 3946 40201c FreeLibrary 3945->3946 3946->3937 3949 100016ed 3948->3949 4004 10001a5d 3949->4004 3951 100016f4 3952 1000180a 3951->3952 3953 10001705 3951->3953 3954 1000170c 3951->3954 3952->3945 4053 100021b0 3953->4053 4036 100021fa 3954->4036 3959 10001770 3965 100017b2 3959->3965 3966 10001776 3959->3966 3960 10001752 4066 100023da 3960->4066 3961 10001722 3964 10001728 3961->3964 3970 10001733 3961->3970 3962 1000173b 3977 10001731 3962->3977 4063 10002aa7 3962->4063 3964->3977 4047 100027ec 3964->4047 3968 100023da 11 API calls 3965->3968 3972 10001559 3 API calls 3966->3972 3978 100017a4 3968->3978 3969 10001758 4077 10001559 3969->4077 4057 1000258d 3970->4057 3975 1000178c 3972->3975 3976 100023da 11 API calls 3975->3976 3976->3978 3977->3959 3977->3960 3981 100017f9 3978->3981 4088 100023a0 3978->4088 3980 10001739 3980->3977 3981->3952 3983 10001803 GlobalFree 3981->3983 3983->3952 3987 100017e5 3987->3981 4092 100014e2 wsprintfA 3987->4092 3988 100017de FreeLibrary 3988->3987 3991 40501f 25 API calls 3990->3991 3992 401431 3991->3992 3992->3945 3994 4050dd 3993->3994 3995 40503a 3993->3995 3994->3945 3996 405057 lstrlenA 3995->3996 3997 405d58 18 API calls 3995->3997 3998 405080 3996->3998 3999 405065 lstrlenA 3996->3999 3997->3996 4001 405093 3998->4001 4002 405086 SetWindowTextA 3998->4002 3999->3994 4000 405077 lstrcatA 3999->4000 4000->3998 4001->3994 4003 405099 SendMessageA SendMessageA SendMessageA 4001->4003 4002->4001 4003->3994 4095 10001215 GlobalAlloc 4004->4095 4006 10001a81 4096 10001215 GlobalAlloc 4006->4096 4008 10001cbb GlobalFree GlobalFree GlobalFree 4009 10001cd8 4008->4009 4024 10001d22 4008->4024 4010 1000201a 4009->4010 4018 10001ced 4009->4018 4009->4024 4012 1000203c GetModuleHandleA 4010->4012 4010->4024 4011 10001b60 GlobalAlloc 4031 10001a8c 4011->4031 4013 10002062 4012->4013 4014 1000204d LoadLibraryA 4012->4014 4103 100015a4 GetProcAddress 4013->4103 4014->4013 4014->4024 4015 10001bab lstrcpyA 4019 10001bb5 lstrcpyA 4015->4019 4016 10001bc9 GlobalFree 4016->4031 4018->4024 4099 10001224 4018->4099 4019->4031 4020 100020b3 4023 100020c0 lstrlenA 4020->4023 4020->4024 4022 10001f7a 4022->4024 4028 10001fbe lstrcpyA 4022->4028 4104 100015a4 GetProcAddress 4023->4104 4024->3951 4025 10002074 4025->4020 4035 1000209d GetProcAddress 4025->4035 4028->4024 4029 10001c07 4029->4031 4097 10001534 GlobalSize GlobalAlloc 4029->4097 4030 10001e75 GlobalFree 4030->4031 4031->4008 4031->4011 4031->4015 4031->4016 4031->4019 4031->4022 4031->4024 4031->4029 4031->4030 4034 10001224 2 API calls 4031->4034 4102 10001215 GlobalAlloc 4031->4102 4032 100020d9 4032->4024 4034->4031 4035->4020 4037 10002212 4036->4037 4039 10002349 GlobalFree 4037->4039 4041 100022b9 GlobalAlloc MultiByteToWideChar 4037->4041 4042 1000230a lstrlenA 4037->4042 4043 10001224 GlobalAlloc lstrcpynA 4037->4043 4106 100012ad 4037->4106 4039->4037 4040 10001712 4039->4040 4040->3961 4040->3962 4040->3977 4044 100022e3 GlobalAlloc CLSIDFromString GlobalFree 4041->4044 4046 10002303 4041->4046 4042->4039 4042->4046 4043->4037 4044->4039 4046->4039 4110 10002521 4046->4110 4049 100027fe 4047->4049 4048 100028a3 CreateFileA 4050 100028c1 4048->4050 4049->4048 4051 100029b2 GetLastError 4050->4051 4052 100029bd 4050->4052 4051->4052 4052->3977 4054 100021c0 4053->4054 4056 1000170b 4053->4056 4055 100021d2 GlobalAlloc 4054->4055 4054->4056 4055->4054 4056->3954 4061 100025a9 4057->4061 4058 100025fa GlobalAlloc 4062 1000261c 4058->4062 4059 1000260d 4060 10002612 GlobalSize 4059->4060 4059->4062 4060->4062 4061->4058 4061->4059 4062->3980 4064 10002ab2 4063->4064 4065 10002af2 GlobalFree 4064->4065 4113 10001215 GlobalAlloc 4066->4113 4068 10002473 WideCharToMultiByte 4071 100023e6 4068->4071 4069 1000243a lstrcpynA 4069->4071 4070 1000244b StringFromGUID2 WideCharToMultiByte 4070->4071 4071->4068 4071->4069 4071->4070 4072 10002494 wsprintfA 4071->4072 4073 100024b8 GlobalFree 4071->4073 4074 100024f2 GlobalFree 4071->4074 4075 10001266 2 API calls 4071->4075 4114 100012d1 4071->4114 4072->4071 4073->4071 4074->3969 4075->4071 4118 10001215 GlobalAlloc 4077->4118 4079 1000155f 4080 1000156c lstrcpyA 4079->4080 4082 10001586 4079->4082 4083 100015a0 4080->4083 4082->4083 4084 1000158b wsprintfA 4082->4084 4085 10001266 4083->4085 4084->4083 4086 100012a8 GlobalFree 4085->4086 4087 1000126f GlobalAlloc lstrcpynA 4085->4087 4086->3978 4087->4086 4089 100017c5 4088->4089 4090 100023ae 4088->4090 4089->3987 4089->3988 4090->4089 4091 100023c7 GlobalFree 4090->4091 4091->4090 4093 10001266 2 API calls 4092->4093 4094 10001503 4093->4094 4094->3981 4095->4006 4096->4031 4098 10001552 4097->4098 4098->4029 4105 10001215 GlobalAlloc 4099->4105 4101 10001233 lstrcpynA 4101->4024 4102->4031 4103->4025 4104->4032 4105->4101 4107 100012b4 4106->4107 4108 10001224 2 API calls 4107->4108 4109 100012cf 4108->4109 4109->4037 4111 10002585 4110->4111 4112 1000252f VirtualAlloc 4110->4112 4111->4046 4112->4111 4113->4071 4115 100012f9 4114->4115 4116 100012da 4114->4116 4115->4071 4116->4115 4117 100012e0 lstrcpyA 4116->4117 4117->4115 4118->4079 5124 40286d SendMessageA 5125 402892 5124->5125 5126 402887 InvalidateRect 5124->5126 5126->5125 5127 4014f0 SetForegroundWindow 5128 402892 5127->5128 5129 401af0 5130 4029fd 18 API calls 5129->5130 5131 401af7 5130->5131 5132 4029e0 18 API calls 5131->5132 5133 401b00 wsprintfA 5132->5133 5134 402892 5133->5134 5135 4019f1 5136 4029fd 18 API calls 5135->5136 5137 4019fa ExpandEnvironmentStringsA 5136->5137 5138 401a0e 5137->5138 5140 401a21 5137->5140 5139 401a13 lstrcmpA 5138->5139 5138->5140 5139->5140 5141 100015b3 5142 100014bb GlobalFree 5141->5142 5144 100015cb 5142->5144 5143 10001611 GlobalFree 5144->5143 5145 100015e6 5144->5145 5146 100015fd VirtualFree 5144->5146 5145->5143 5146->5143 5154 401c78 5155 4029e0 18 API calls 5154->5155 5156 401c7e IsWindow 5155->5156 5157 4019e1 5156->5157 5158 40477a 5159 4047a6 5158->5159 5160 40478a 5158->5160 5162 4047d9 5159->5162 5163 4047ac SHGetPathFromIDListA 5159->5163 5169 40552e GetDlgItemTextA 5160->5169 5164 4047bc 5163->5164 5168 4047c3 SendMessageA 5163->5168 5166 40140b 2 API calls 5164->5166 5165 404797 SendMessageA 5165->5159 5166->5168 5168->5162 5169->5165 5170 1000103d 5171 1000101b 5 API calls 5170->5171 5172 10001056 5171->5172 5173 4014fe 5174 401506 5173->5174 5176 401519 5173->5176 5175 4029e0 18 API calls 5174->5175 5175->5176 5177 40227f 5178 4029fd 18 API calls 5177->5178 5179 402290 5178->5179 5180 4029fd 18 API calls 5179->5180 5181 402299 5180->5181 5182 4029fd 18 API calls 5181->5182 5183 4022a3 GetPrivateProfileStringA 5182->5183 5184 401000 5185 401037 BeginPaint GetClientRect 5184->5185 5186 40100c DefWindowProcA 5184->5186 5188 4010f3 5185->5188 5189 401179 5186->5189 5190 401073 CreateBrushIndirect FillRect DeleteObject 5188->5190 5191 4010fc 5188->5191 5190->5188 5192 401102 CreateFontIndirectA 5191->5192 5193 401167 EndPaint 5191->5193 5192->5193 5194 401112 6 API calls 5192->5194 5193->5189 5194->5193 5195 404100 lstrcpynA lstrlenA 5196 402602 5197 402892 5196->5197 5198 402609 5196->5198 5199 40260f FindClose 5198->5199 5199->5197 5207 402683 5208 4029fd 18 API calls 5207->5208 5209 402691 5208->5209 5210 4026a7 5209->5210 5212 4029fd 18 API calls 5209->5212 5211 4059a2 2 API calls 5210->5211 5213 4026ad 5211->5213 5212->5210 5233 4059c7 GetFileAttributesA CreateFileA 5213->5233 5215 4026ba 5216 402763 5215->5216 5217 4026c6 GlobalAlloc 5215->5217 5220 40276b DeleteFileA 5216->5220 5221 40277e 5216->5221 5218 40275a CloseHandle 5217->5218 5219 4026df 5217->5219 5218->5216 5234 4031cc SetFilePointer 5219->5234 5220->5221 5223 4026e5 5224 4031b6 ReadFile 5223->5224 5225 4026ee GlobalAlloc 5224->5225 5226 402732 WriteFile GlobalFree 5225->5226 5227 4026fe 5225->5227 5228 402f1f 46 API calls 5226->5228 5229 402f1f 46 API calls 5227->5229 5230 402757 5228->5230 5232 40270b 5229->5232 5230->5218 5231 402729 GlobalFree 5231->5226 5232->5231 5233->5215 5234->5223 5235 401705 5236 4029fd 18 API calls 5235->5236 5237 40170c SearchPathA 5236->5237 5238 4027bd 5237->5238 5239 401727 5237->5239 5239->5238 5241 405d36 lstrcpynA 5239->5241 5241->5238 5242 100029c7 5243 100029df 5242->5243 5244 10001534 2 API calls 5243->5244 5245 100029fa 5244->5245 5246 40280a 5247 4029e0 18 API calls 5246->5247 5248 402810 5247->5248 5249 402841 5248->5249 5250 402663 5248->5250 5252 40281e 5248->5252 5249->5250 5251 405d58 18 API calls 5249->5251 5251->5250 5252->5250 5254 405c94 wsprintfA 5252->5254 5254->5250 5255 40218a 5256 4029fd 18 API calls 5255->5256 5257 402190 5256->5257 5258 4029fd 18 API calls 5257->5258 5259 402199 5258->5259 5260 4029fd 18 API calls 5259->5260 5261 4021a2 5260->5261 5262 40603a 2 API calls 5261->5262 5263 4021ab 5262->5263 5264 4021bc lstrlenA lstrlenA 5263->5264 5268 4021af 5263->5268 5266 40501f 25 API calls 5264->5266 5265 40501f 25 API calls 5269 4021b7 5265->5269 5267 4021f8 SHFileOperationA 5266->5267 5267->5268 5267->5269 5268->5265 5268->5269 5270 40220c 5271 402213 5270->5271 5275 402226 5270->5275 5272 405d58 18 API calls 5271->5272 5273 402220 5272->5273 5274 40554a MessageBoxIndirectA 5273->5274 5274->5275 5276 401490 5277 40501f 25 API calls 5276->5277 5278 401497 5277->5278 5279 406310 5281 406194 5279->5281 5280 406aff 5281->5280 5282 406215 GlobalFree 5281->5282 5283 40621e GlobalAlloc 5281->5283 5284 406295 GlobalAlloc 5281->5284 5285 40628c GlobalFree 5281->5285 5282->5283 5283->5280 5283->5281 5284->5280 5284->5281 5285->5284 5286 401b11 5287 401b62 5286->5287 5288 401b1e 5286->5288 5289 401b66 5287->5289 5290 401b8b GlobalAlloc 5287->5290 5291 401ba6 5288->5291 5296 401b35 5288->5296 5299 402226 5289->5299 5307 405d36 lstrcpynA 5289->5307 5292 405d58 18 API calls 5290->5292 5293 405d58 18 API calls 5291->5293 5291->5299 5292->5291 5295 402220 5293->5295 5300 40554a MessageBoxIndirectA 5295->5300 5305 405d36 lstrcpynA 5296->5305 5298 401b78 GlobalFree 5298->5299 5300->5299 5301 401b44 5306 405d36 lstrcpynA 5301->5306 5303 401b53 5308 405d36 lstrcpynA 5303->5308 5305->5301 5306->5303 5307->5298 5308->5299 4152 404f93 4153 404fa3 4152->4153 4154 404fb7 4152->4154 4155 404fa9 4153->4155 4165 405000 4153->4165 4156 404fbf IsWindowVisible 4154->4156 4160 404fdf 4154->4160 4166 404038 4155->4166 4159 404fcc 4156->4159 4156->4165 4157 405005 CallWindowProcA 4161 404fb3 4157->4161 4169 4048ea SendMessageA 4159->4169 4160->4157 4174 40496a 4160->4174 4165->4157 4167 404050 4166->4167 4168 404041 SendMessageA 4166->4168 4167->4161 4168->4167 4170 404949 SendMessageA 4169->4170 4171 40490d GetMessagePos ScreenToClient SendMessageA 4169->4171 4172 404941 4170->4172 4171->4172 4173 404946 4171->4173 4172->4160 4173->4170 4183 405d36 lstrcpynA 4174->4183 4176 40497d 4184 405c94 wsprintfA 4176->4184 4178 404987 4185 40140b 4178->4185 4182 404997 4182->4165 4183->4176 4184->4178 4189 401389 4185->4189 4188 405d36 lstrcpynA 4188->4182 4191 401390 4189->4191 4190 4013fe 4190->4188 4191->4190 4192 4013cb MulDiv SendMessageA 4191->4192 4192->4191 4218 401595 4219 4029fd 18 API calls 4218->4219 4220 40159c SetFileAttributesA 4219->4220 4221 4015ae 4220->4221 5309 401c95 5310 4029e0 18 API calls 5309->5310 5311 401c9c 5310->5311 5312 4029e0 18 API calls 5311->5312 5313 401ca4 GetDlgItem 5312->5313 5314 4024cb 5313->5314 4227 403217 #17 SetErrorMode OleInitialize 4302 406061 GetModuleHandleA 4227->4302 4231 403287 GetCommandLineA 4307 405d36 lstrcpynA 4231->4307 4233 403299 GetModuleHandleA 4234 4032b0 4233->4234 4235 4057f1 CharNextA 4234->4235 4236 4032c4 CharNextA 4235->4236 4242 4032d4 4236->4242 4237 40339e 4238 4033b1 GetTempPathA 4237->4238 4308 4031e3 4238->4308 4240 4033c9 4243 403423 DeleteFileA 4240->4243 4244 4033cd GetWindowsDirectoryA lstrcatA 4240->4244 4241 4057f1 CharNextA 4241->4242 4242->4237 4242->4241 4247 4033a0 4242->4247 4316 402c79 GetTickCount GetModuleFileNameA 4243->4316 4246 4031e3 11 API calls 4244->4246 4249 4033e9 4246->4249 4400 405d36 lstrcpynA 4247->4400 4248 403437 4256 4057f1 CharNextA 4248->4256 4285 4034bd 4248->4285 4296 4034cd 4248->4296 4249->4243 4251 4033ed GetTempPathA lstrcatA SetEnvironmentVariableA SetEnvironmentVariableA 4249->4251 4252 4031e3 11 API calls 4251->4252 4254 40341b 4252->4254 4254->4243 4254->4296 4258 403452 4256->4258 4265 403498 4258->4265 4266 4034fc lstrcatA lstrcmpiA 4258->4266 4259 4034e6 4426 40554a 4259->4426 4260 4035da 4261 40367d ExitProcess 4260->4261 4264 406061 3 API calls 4260->4264 4268 4035ed 4264->4268 4401 4058b4 4265->4401 4270 403518 CreateDirectoryA SetCurrentDirectoryA 4266->4270 4266->4296 4273 406061 3 API calls 4268->4273 4271 40353a 4270->4271 4272 40352f 4270->4272 4431 405d36 lstrcpynA 4271->4431 4430 405d36 lstrcpynA 4272->4430 4277 4035f6 4273->4277 4279 406061 3 API calls 4277->4279 4281 4035ff 4279->4281 4280 4034b2 4416 405d36 lstrcpynA 4280->4416 4284 40361d 4281->4284 4290 40360d GetCurrentProcess 4281->4290 4283 405d58 18 API calls 4286 403579 DeleteFileA 4283->4286 4287 406061 3 API calls 4284->4287 4346 403787 4285->4346 4288 403586 CopyFileA 4286->4288 4299 403548 4286->4299 4289 403654 4287->4289 4288->4299 4292 403669 ExitWindowsEx 4289->4292 4295 403676 4289->4295 4290->4284 4291 4035ce 4293 405bea 40 API calls 4291->4293 4292->4261 4292->4295 4293->4296 4297 40140b 2 API calls 4295->4297 4417 403695 4296->4417 4297->4261 4298 405d58 18 API calls 4298->4299 4299->4283 4299->4291 4299->4298 4301 4035ba CloseHandle 4299->4301 4432 405bea 4299->4432 4437 4054e5 CreateProcessA 4299->4437 4301->4299 4303 406088 GetProcAddress 4302->4303 4304 40607d LoadLibraryA 4302->4304 4305 40325c SHGetFileInfoA 4303->4305 4304->4303 4304->4305 4306 405d36 lstrcpynA 4305->4306 4306->4231 4307->4233 4309 405fa1 5 API calls 4308->4309 4311 4031ef 4309->4311 4310 4031f9 4310->4240 4311->4310 4440 4057c6 lstrlenA CharPrevA 4311->4440 4314 4059f6 2 API calls 4315 403215 4314->4315 4315->4240 4443 4059c7 GetFileAttributesA CreateFileA 4316->4443 4318 402cbc 4345 402cc9 4318->4345 4444 405d36 lstrcpynA 4318->4444 4320 402cdf 4445 40580d lstrlenA 4320->4445 4324 402cf0 GetFileSize 4325 402df1 4324->4325 4327 402d07 4324->4327 4450 402bda 4325->4450 4327->4325 4331 402e8c 4327->4331 4338 402bda 33 API calls 4327->4338 4327->4345 4481 4031b6 4327->4481 4330 402e34 GlobalAlloc 4335 402e4b 4330->4335 4332 402bda 33 API calls 4331->4332 4332->4345 4334 402e15 4337 4031b6 ReadFile 4334->4337 4336 4059f6 2 API calls 4335->4336 4339 402e5c CreateFileA 4336->4339 4340 402e20 4337->4340 4338->4327 4341 402e96 4339->4341 4339->4345 4340->4330 4340->4345 4465 4031cc SetFilePointer 4341->4465 4343 402ea4 4466 402f1f 4343->4466 4345->4248 4347 406061 3 API calls 4346->4347 4348 40379b 4347->4348 4349 4037a1 4348->4349 4350 4037b3 4348->4350 4524 405c94 wsprintfA 4349->4524 4351 405c1d 3 API calls 4350->4351 4352 4037de 4351->4352 4353 4037fc lstrcatA 4352->4353 4355 405c1d 3 API calls 4352->4355 4356 4037b1 4353->4356 4355->4353 4515 403a4c 4356->4515 4359 4058b4 18 API calls 4361 40382e 4359->4361 4360 4038b7 4362 4058b4 18 API calls 4360->4362 4361->4360 4363 405c1d 3 API calls 4361->4363 4364 4038bd 4362->4364 4366 40385a 4363->4366 4365 4038cd LoadImageA 4364->4365 4367 405d58 18 API calls 4364->4367 4368 403973 4365->4368 4369 4038f4 RegisterClassA 4365->4369 4366->4360 4370 403876 lstrlenA 4366->4370 4373 4057f1 CharNextA 4366->4373 4367->4365 4372 40140b 2 API calls 4368->4372 4371 40392a SystemParametersInfoA CreateWindowExA 4369->4371 4399 40397d 4369->4399 4374 403884 lstrcmpiA 4370->4374 4375 4038aa 4370->4375 4371->4368 4376 403979 4372->4376 4377 403874 4373->4377 4374->4375 4378 403894 GetFileAttributesA 4374->4378 4379 4057c6 3 API calls 4375->4379 4381 403a4c 19 API calls 4376->4381 4376->4399 4377->4370 4380 4038a0 4378->4380 4382 4038b0 4379->4382 4380->4375 4383 40580d 2 API calls 4380->4383 4384 40398a 4381->4384 4525 405d36 lstrcpynA 4382->4525 4383->4375 4386 403996 ShowWindow LoadLibraryA 4384->4386 4387 403a19 4384->4387 4389 4039b5 LoadLibraryA 4386->4389 4390 4039bc GetClassInfoA 4386->4390 4526 4050f1 OleInitialize 4387->4526 4389->4390 4392 4039d0 GetClassInfoA RegisterClassA 4390->4392 4393 4039e6 DialogBoxParamA 4390->4393 4391 403a1f 4395 403a23 4391->4395 4396 403a3b 4391->4396 4392->4393 4394 40140b 2 API calls 4393->4394 4394->4399 4398 40140b 2 API calls 4395->4398 4395->4399 4397 40140b 2 API calls 4396->4397 4397->4399 4398->4399 4399->4296 4400->4238 4534 405d36 lstrcpynA 4401->4534 4403 4058c5 4404 40585f 4 API calls 4403->4404 4405 4058cb 4404->4405 4406 4034a3 4405->4406 4407 405fa1 5 API calls 4405->4407 4406->4296 4415 405d36 lstrcpynA 4406->4415 4413 4058db 4407->4413 4408 405906 lstrlenA 4409 405911 4408->4409 4408->4413 4411 4057c6 3 API calls 4409->4411 4412 405916 GetFileAttributesA 4411->4412 4412->4406 4413->4406 4413->4408 4414 40580d 2 API calls 4413->4414 4535 40603a FindFirstFileA 4413->4535 4414->4408 4415->4280 4416->4285 4418 4036b0 4417->4418 4419 4036a6 CloseHandle 4417->4419 4420 4036c4 4418->4420 4421 4036ba CloseHandle 4418->4421 4419->4418 4538 4036f2 4420->4538 4421->4420 4429 40555f 4426->4429 4427 4034f4 ExitProcess 4428 405573 MessageBoxIndirectA 4428->4427 4429->4427 4429->4428 4430->4271 4431->4299 4433 406061 3 API calls 4432->4433 4434 405bf1 4433->4434 4436 405c12 4434->4436 4595 405a6e lstrcpyA 4434->4595 4436->4299 4438 405524 4437->4438 4439 405518 CloseHandle 4437->4439 4438->4299 4439->4438 4441 4057e0 lstrcatA 4440->4441 4442 403201 CreateDirectoryA 4440->4442 4441->4442 4442->4314 4443->4318 4444->4320 4446 40581a 4445->4446 4447 402ce5 4446->4447 4448 40581f CharPrevA 4446->4448 4449 405d36 lstrcpynA 4447->4449 4448->4446 4448->4447 4449->4324 4451 402c00 4450->4451 4452 402be8 4450->4452 4454 402c10 GetTickCount 4451->4454 4455 402c08 4451->4455 4453 402bf1 DestroyWindow 4452->4453 4460 402bf8 4452->4460 4453->4460 4457 402c1e 4454->4457 4454->4460 4485 40609a 4455->4485 4458 402c53 CreateDialogParamA ShowWindow 4457->4458 4459 402c26 4457->4459 4458->4460 4459->4460 4489 402bbe 4459->4489 4460->4330 4460->4345 4484 4031cc SetFilePointer 4460->4484 4462 402c34 wsprintfA 4463 40501f 25 API calls 4462->4463 4464 402c51 4463->4464 4464->4460 4465->4343 4467 402f4b 4466->4467 4468 402f2f SetFilePointer 4466->4468 4492 40303a GetTickCount 4467->4492 4468->4467 4473 40303a 43 API calls 4474 402f82 4473->4474 4475 402ffc ReadFile 4474->4475 4477 402ff6 4474->4477 4480 402f92 4474->4480 4475->4477 4477->4345 4478 405a3f ReadFile 4478->4480 4479 402fc5 WriteFile 4479->4477 4479->4480 4480->4477 4480->4478 4480->4479 4482 405a3f ReadFile 4481->4482 4483 4031c9 4482->4483 4483->4327 4484->4334 4486 4060b7 PeekMessageA 4485->4486 4487 4060c7 4486->4487 4488 4060ad DispatchMessageA 4486->4488 4487->4460 4488->4486 4490 402bcd 4489->4490 4491 402bcf MulDiv 4489->4491 4490->4491 4491->4462 4493 4031a4 4492->4493 4494 403069 4492->4494 4495 402bda 33 API calls 4493->4495 4507 4031cc SetFilePointer 4494->4507 4502 402f52 4495->4502 4497 403074 SetFilePointer 4501 403099 4497->4501 4498 4031b6 ReadFile 4498->4501 4500 402bda 33 API calls 4500->4501 4501->4498 4501->4500 4501->4502 4503 40312e WriteFile 4501->4503 4504 403185 SetFilePointer 4501->4504 4508 406161 4501->4508 4502->4477 4505 405a3f ReadFile 4502->4505 4503->4501 4503->4502 4504->4493 4506 402f6b 4505->4506 4506->4473 4506->4477 4507->4497 4509 406186 4508->4509 4512 40618e 4508->4512 4509->4501 4510 406215 GlobalFree 4511 40621e GlobalAlloc 4510->4511 4511->4509 4511->4512 4512->4509 4512->4510 4512->4511 4512->4512 4513 406295 GlobalAlloc 4512->4513 4514 40628c GlobalFree 4512->4514 4513->4509 4513->4512 4514->4513 4516 403a60 4515->4516 4533 405c94 wsprintfA 4516->4533 4518 403ad1 4519 405d58 18 API calls 4518->4519 4520 403add SetWindowTextA 4519->4520 4521 40380c 4520->4521 4522 403af9 4520->4522 4521->4359 4522->4521 4523 405d58 18 API calls 4522->4523 4523->4522 4524->4356 4525->4360 4527 404038 SendMessageA 4526->4527 4530 405114 4527->4530 4528 40513b 4529 404038 SendMessageA 4528->4529 4531 40514d OleUninitialize 4529->4531 4530->4528 4532 401389 2 API calls 4530->4532 4531->4391 4532->4530 4533->4518 4534->4403 4536 406050 FindClose 4535->4536 4537 40605b 4535->4537 4536->4537 4537->4413 4539 403700 4538->4539 4540 4036c9 4539->4540 4541 403705 FreeLibrary GlobalFree 4539->4541 4542 4055f6 4540->4542 4541->4540 4541->4541 4543 4058b4 18 API calls 4542->4543 4544 405616 4543->4544 4545 405635 4544->4545 4546 40561e DeleteFileA 4544->4546 4548 405763 4545->4548 4582 405d36 lstrcpynA 4545->4582 4547 4034d6 OleUninitialize 4546->4547 4547->4259 4547->4260 4548->4547 4553 40603a 2 API calls 4548->4553 4550 40565b 4551 405661 lstrcatA 4550->4551 4552 40566e 4550->4552 4554 405674 4551->4554 4555 40580d 2 API calls 4552->4555 4556 405787 4553->4556 4557 405682 lstrcatA 4554->4557 4559 40568d lstrlenA FindFirstFileA 4554->4559 4555->4554 4556->4547 4558 40578b 4556->4558 4557->4559 4560 4057c6 3 API calls 4558->4560 4559->4548 4564 4056b1 4559->4564 4561 405791 4560->4561 4563 4055ae 5 API calls 4561->4563 4562 4057f1 CharNextA 4562->4564 4565 40579d 4563->4565 4564->4562 4569 405742 FindNextFileA 4564->4569 4578 405703 4564->4578 4583 405d36 lstrcpynA 4564->4583 4566 4057a1 4565->4566 4567 4057b7 4565->4567 4566->4547 4572 40501f 25 API calls 4566->4572 4568 40501f 25 API calls 4567->4568 4568->4547 4569->4564 4571 40575a FindClose 4569->4571 4571->4548 4573 4057ae 4572->4573 4574 405bea 40 API calls 4573->4574 4577 4057b5 4574->4577 4576 4055f6 64 API calls 4576->4578 4577->4547 4578->4569 4578->4576 4579 40501f 25 API calls 4578->4579 4580 40501f 25 API calls 4578->4580 4581 405bea 40 API calls 4578->4581 4584 4055ae 4578->4584 4579->4569 4580->4578 4581->4578 4582->4550 4583->4564 4592 4059a2 GetFileAttributesA 4584->4592 4587 4055db 4587->4578 4588 4055d1 DeleteFileA 4590 4055d7 4588->4590 4589 4055c9 RemoveDirectoryA 4589->4590 4590->4587 4591 4055e7 SetFileAttributesA 4590->4591 4591->4587 4593 4055ba 4592->4593 4594 4059b4 SetFileAttributesA 4592->4594 4593->4587 4593->4588 4593->4589 4594->4593 4596 405a97 4595->4596 4597 405abd GetShortPathNameA 4595->4597 4620 4059c7 GetFileAttributesA CreateFileA 4596->4620 4599 405ad2 4597->4599 4600 405be4 4597->4600 4599->4600 4602 405ada wsprintfA 4599->4602 4600->4436 4601 405aa1 CloseHandle GetShortPathNameA 4601->4600 4603 405ab5 4601->4603 4604 405d58 18 API calls 4602->4604 4603->4597 4603->4600 4605 405b02 4604->4605 4621 4059c7 GetFileAttributesA CreateFileA 4605->4621 4607 405b0f 4607->4600 4608 405b1e GetFileSize GlobalAlloc 4607->4608 4609 405b40 4608->4609 4610 405bdd CloseHandle 4608->4610 4611 405a3f ReadFile 4609->4611 4610->4600 4612 405b48 4611->4612 4612->4610 4622 40592c lstrlenA 4612->4622 4615 405b73 4617 40592c 4 API calls 4615->4617 4616 405b5f lstrcpyA 4618 405b81 4616->4618 4617->4618 4619 405bb8 SetFilePointer WriteFile GlobalFree 4618->4619 4619->4610 4620->4601 4621->4607 4623 40596d lstrlenA 4622->4623 4624 405975 4623->4624 4625 405946 lstrcmpiA 4623->4625 4624->4615 4624->4616 4625->4624 4626 405964 CharNextA 4625->4626 4626->4623 5315 10001058 5317 10001074 5315->5317 5316 100010dc 5317->5316 5318 100014bb GlobalFree 5317->5318 5319 10001091 5317->5319 5318->5319 5320 100014bb GlobalFree 5319->5320 5321 100010a1 5320->5321 5322 100010b1 5321->5322 5323 100010a8 GlobalSize 5321->5323 5324 100010b5 GlobalAlloc 5322->5324 5325 100010c6 5322->5325 5323->5322 5326 100014e2 3 API calls 5324->5326 5327 100010d1 GlobalFree 5325->5327 5326->5325 5327->5316 4645 402519 4646 4029e0 18 API calls 4645->4646 4650 402523 4646->4650 4647 40258d 4648 405a3f ReadFile 4648->4650 4649 40258f 4654 405c94 wsprintfA 4649->4654 4650->4647 4650->4648 4650->4649 4651 40259f 4650->4651 4651->4647 4653 4025b5 SetFilePointer 4651->4653 4653->4647 4654->4647 4655 403b19 4656 403b31 4655->4656 4657 403c6c 4655->4657 4656->4657 4658 403b3d 4656->4658 4659 403cbd 4657->4659 4660 403c7d GetDlgItem GetDlgItem 4657->4660 4661 403b48 SetWindowPos 4658->4661 4662 403b5b 4658->4662 4664 403d17 4659->4664 4672 401389 2 API calls 4659->4672 4663 403fec 19 API calls 4660->4663 4661->4662 4666 403b60 ShowWindow 4662->4666 4667 403b78 4662->4667 4668 403ca7 SetClassLongA 4663->4668 4665 404038 SendMessageA 4664->4665 4686 403c67 4664->4686 4696 403d29 4665->4696 4666->4667 4669 403b80 DestroyWindow 4667->4669 4670 403b9a 4667->4670 4671 40140b 2 API calls 4668->4671 4673 403f96 4669->4673 4674 403bb0 4670->4674 4675 403b9f SetWindowLongA 4670->4675 4671->4659 4676 403cef 4672->4676 4683 403fa6 ShowWindow 4673->4683 4673->4686 4680 403c59 4674->4680 4681 403bbc GetDlgItem 4674->4681 4675->4686 4676->4664 4677 403cf3 SendMessageA 4676->4677 4677->4686 4678 40140b 2 API calls 4678->4696 4679 403f77 DestroyWindow EndDialog 4679->4673 4735 404053 4680->4735 4684 403bec 4681->4684 4685 403bcf SendMessageA IsWindowEnabled 4681->4685 4683->4686 4688 403bf9 4684->4688 4689 403c40 SendMessageA 4684->4689 4690 403c0c 4684->4690 4699 403bf1 4684->4699 4685->4684 4685->4686 4687 405d58 18 API calls 4687->4696 4688->4689 4688->4699 4689->4680 4693 403c14 4690->4693 4694 403c29 4690->4694 4692 403fec 19 API calls 4692->4696 4697 40140b 2 API calls 4693->4697 4698 40140b 2 API calls 4694->4698 4695 403c27 4695->4680 4696->4678 4696->4679 4696->4686 4696->4687 4696->4692 4716 403eb7 DestroyWindow 4696->4716 4726 403fec 4696->4726 4697->4699 4700 403c30 4698->4700 4732 403fc5 4699->4732 4700->4680 4700->4699 4702 403da4 GetDlgItem 4703 403dc1 ShowWindow KiUserCallbackDispatcher 4702->4703 4704 403db9 4702->4704 4729 40400e EnableWindow 4703->4729 4704->4703 4706 403deb EnableWindow 4710 403dff 4706->4710 4707 403e04 GetSystemMenu EnableMenuItem SendMessageA 4708 403e34 SendMessageA 4707->4708 4707->4710 4708->4710 4710->4707 4730 404021 SendMessageA 4710->4730 4731 405d36 lstrcpynA 4710->4731 4712 403e62 lstrlenA 4713 405d58 18 API calls 4712->4713 4714 403e73 SetWindowTextA 4713->4714 4715 401389 2 API calls 4714->4715 4715->4696 4716->4673 4717 403ed1 CreateDialogParamA 4716->4717 4717->4673 4718 403f04 4717->4718 4719 403fec 19 API calls 4718->4719 4720 403f0f GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4719->4720 4721 401389 2 API calls 4720->4721 4722 403f55 4721->4722 4722->4686 4723 403f5d ShowWindow 4722->4723 4724 404038 SendMessageA 4723->4724 4725 403f75 4724->4725 4725->4673 4727 405d58 18 API calls 4726->4727 4728 403ff7 SetDlgItemTextA 4727->4728 4728->4702 4729->4706 4730->4710 4731->4712 4733 403fd2 SendMessageA 4732->4733 4734 403fcc 4732->4734 4733->4695 4734->4733 4736 40406b GetWindowLongA 4735->4736 4746 4040f4 4735->4746 4737 40407c 4736->4737 4736->4746 4738 40408b GetSysColor 4737->4738 4739 40408e 4737->4739 4738->4739 4740 404094 SetTextColor 4739->4740 4741 40409e SetBkMode 4739->4741 4740->4741 4742 4040b6 GetSysColor 4741->4742 4743 4040bc 4741->4743 4742->4743 4744 4040c3 SetBkColor 4743->4744 4745 4040cd 4743->4745 4744->4745 4745->4746 4747 4040e0 DeleteObject 4745->4747 4748 4040e7 CreateBrushIndirect 4745->4748 4746->4686 4747->4748 4748->4746 4770 40231c 4771 402322 4770->4771 4772 4029fd 18 API calls 4771->4772 4773 402334 4772->4773 4774 4029fd 18 API calls 4773->4774 4775 40233e RegCreateKeyExA 4774->4775 4776 402663 4775->4776 4777 402368 4775->4777 4778 402380 4777->4778 4779 4029fd 18 API calls 4777->4779 4780 40238c 4778->4780 4783 4029e0 18 API calls 4778->4783 4782 402379 lstrlenA 4779->4782 4781 4023a7 RegSetValueExA 4780->4781 4784 402f1f 46 API calls 4780->4784 4785 4023bd RegCloseKey 4781->4785 4782->4778 4783->4780 4784->4781 4785->4776 4787 40499c GetDlgItem GetDlgItem 4788 4049ee 7 API calls 4787->4788 4833 404c06 4787->4833 4789 404a91 DeleteObject 4788->4789 4790 404a84 SendMessageA 4788->4790 4791 404a9a 4789->4791 4790->4789 4793 404ad1 4791->4793 4794 405d58 18 API calls 4791->4794 4792 404cea 4797 404d96 4792->4797 4803 404f7e 4792->4803 4808 404d43 SendMessageA 4792->4808 4796 403fec 19 API calls 4793->4796 4798 404ab3 SendMessageA SendMessageA 4794->4798 4795 404ccb 4795->4792 4805 404cdc SendMessageA 4795->4805 4802 404ae5 4796->4802 4799 404da0 SendMessageA 4797->4799 4800 404da8 4797->4800 4798->4791 4799->4800 4810 404dc1 4800->4810 4811 404dba ImageList_Destroy 4800->4811 4819 404dd1 4800->4819 4801 404c66 4806 4048ea 5 API calls 4801->4806 4807 403fec 19 API calls 4802->4807 4804 404053 8 API calls 4803->4804 4809 404f8c 4804->4809 4805->4792 4822 404c77 4806->4822 4823 404af3 4807->4823 4808->4803 4813 404d58 SendMessageA 4808->4813 4814 404dca GlobalFree 4810->4814 4810->4819 4811->4810 4812 404f40 4812->4803 4817 404f52 ShowWindow GetDlgItem ShowWindow 4812->4817 4816 404d6b 4813->4816 4814->4819 4815 404bc7 GetWindowLongA SetWindowLongA 4818 404be0 4815->4818 4824 404d7c SendMessageA 4816->4824 4817->4803 4820 404be6 ShowWindow 4818->4820 4821 404bfe 4818->4821 4819->4812 4831 40496a 4 API calls 4819->4831 4837 404e0c 4819->4837 4842 404021 SendMessageA 4820->4842 4843 404021 SendMessageA 4821->4843 4822->4795 4823->4815 4825 404bc1 4823->4825 4828 404b42 SendMessageA 4823->4828 4829 404b7e SendMessageA 4823->4829 4830 404b8f SendMessageA 4823->4830 4824->4797 4825->4815 4825->4818 4828->4823 4829->4823 4830->4823 4831->4837 4832 404bf9 4832->4803 4833->4792 4833->4795 4833->4801 4834 404f16 InvalidateRect 4834->4812 4835 404f2c 4834->4835 4844 4048a5 4835->4844 4836 404e3a SendMessageA 4838 404e50 4836->4838 4837->4836 4837->4838 4838->4834 4839 404eb1 4838->4839 4841 404ec4 SendMessageA SendMessageA 4838->4841 4839->4841 4841->4838 4842->4832 4843->4833 4847 4047e0 4844->4847 4846 4048ba 4846->4812 4848 4047f6 4847->4848 4849 405d58 18 API calls 4848->4849 4850 40485a 4849->4850 4851 405d58 18 API calls 4850->4851 4852 404865 4851->4852 4853 405d58 18 API calls 4852->4853 4854 40487b lstrlenA wsprintfA SetDlgItemTextA 4853->4854 4854->4846 5335 40261c 5336 402637 5335->5336 5337 40261f 5335->5337 5339 4027bd 5336->5339 5341 405d36 lstrcpynA 5336->5341 5338 40262c FindNextFileA 5337->5338 5338->5336 5341->5339 5342 100010e0 5343 1000110e 5342->5343 5344 100011c4 GlobalFree 5343->5344 5345 100012ad 2 API calls 5343->5345 5346 100011c3 5343->5346 5347 10001266 2 API calls 5343->5347 5348 10001155 GlobalAlloc 5343->5348 5349 100011ea GlobalFree 5343->5349 5350 100011b1 GlobalFree 5343->5350 5351 100012d1 lstrcpyA 5343->5351 5345->5343 5346->5344 5347->5350 5348->5343 5349->5343 5350->5343 5351->5343 5352 4016a1 5353 4029fd 18 API calls 5352->5353 5354 4016a7 GetFullPathNameA 5353->5354 5355 4016be 5354->5355 5356 4016df 5354->5356 5355->5356 5359 40603a 2 API calls 5355->5359 5357 402892 5356->5357 5358 4016f3 GetShortPathNameA 5356->5358 5358->5357 5360 4016cf 5359->5360 5360->5356 5362 405d36 lstrcpynA 5360->5362 5362->5356 5363 10002162 5364 100021c0 5363->5364 5366 100021f6 5363->5366 5365 100021d2 GlobalAlloc 5364->5365 5364->5366 5365->5364 5367 401d26 GetDC GetDeviceCaps 5368 4029e0 18 API calls 5367->5368 5369 401d44 MulDiv ReleaseDC 5368->5369 5370 4029e0 18 API calls 5369->5370 5371 401d63 5370->5371 5372 405d58 18 API calls 5371->5372 5373 401d9c CreateFontIndirectA 5372->5373 5374 4024cb 5373->5374 5375 40442a 5376 404456 5375->5376 5377 404467 5375->5377 5436 40552e GetDlgItemTextA 5376->5436 5379 404473 GetDlgItem 5377->5379 5380 4044d2 5377->5380 5383 404487 5379->5383 5381 4045b6 5380->5381 5390 405d58 18 API calls 5380->5390 5434 40475f 5380->5434 5381->5434 5438 40552e GetDlgItemTextA 5381->5438 5382 404461 5384 405fa1 5 API calls 5382->5384 5385 40449b SetWindowTextA 5383->5385 5388 40585f 4 API calls 5383->5388 5384->5377 5389 403fec 19 API calls 5385->5389 5387 404053 8 API calls 5392 404773 5387->5392 5393 404491 5388->5393 5394 4044b7 5389->5394 5395 404546 SHBrowseForFolderA 5390->5395 5391 4045e6 5396 4058b4 18 API calls 5391->5396 5393->5385 5400 4057c6 3 API calls 5393->5400 5397 403fec 19 API calls 5394->5397 5395->5381 5398 40455e CoTaskMemFree 5395->5398 5399 4045ec 5396->5399 5401 4044c5 5397->5401 5402 4057c6 3 API calls 5398->5402 5439 405d36 lstrcpynA 5399->5439 5400->5385 5437 404021 SendMessageA 5401->5437 5404 40456b 5402->5404 5407 4045a2 SetDlgItemTextA 5404->5407 5411 405d58 18 API calls 5404->5411 5406 4044cb 5409 406061 3 API calls 5406->5409 5407->5381 5408 404603 5410 406061 3 API calls 5408->5410 5409->5380 5417 40460b 5410->5417 5413 40458a lstrcmpiA 5411->5413 5412 404645 5440 405d36 lstrcpynA 5412->5440 5413->5407 5414 40459b lstrcatA 5413->5414 5414->5407 5416 40464e 5418 40585f 4 API calls 5416->5418 5417->5412 5422 40580d 2 API calls 5417->5422 5423 40469d 5417->5423 5419 404654 GetDiskFreeSpaceA 5418->5419 5421 404676 MulDiv 5419->5421 5419->5423 5421->5423 5422->5417 5424 40470e 5423->5424 5426 4048a5 21 API calls 5423->5426 5425 404731 5424->5425 5427 40140b 2 API calls 5424->5427 5441 40400e EnableWindow 5425->5441 5428 4046fb 5426->5428 5427->5425 5430 404710 SetDlgItemTextA 5428->5430 5431 404700 5428->5431 5430->5424 5432 4047e0 21 API calls 5431->5432 5432->5424 5433 40474d 5433->5434 5442 4043bf 5433->5442 5434->5387 5436->5382 5437->5406 5438->5391 5439->5408 5440->5416 5441->5433 5443 4043d2 SendMessageA 5442->5443 5444 4043cd 5442->5444 5443->5434 5444->5443 4119 40172c 4120 4029fd 18 API calls 4119->4120 4121 401733 4120->4121 4125 4059f6 4121->4125 4123 40173a 4124 4059f6 2 API calls 4123->4124 4124->4123 4126 405a01 GetTickCount GetTempFileNameA 4125->4126 4127 405a32 4126->4127 4128 405a2e 4126->4128 4127->4123 4128->4126 4128->4127 4129 401dac 4137 4029e0 4129->4137 4131 401db2 4132 4029e0 18 API calls 4131->4132 4133 401dbb 4132->4133 4134 401dc2 ShowWindow 4133->4134 4135 401dcd EnableWindow 4133->4135 4136 402892 4134->4136 4135->4136 4138 405d58 18 API calls 4137->4138 4139 4029f4 4138->4139 4139->4131 5445 401eac 5446 4029fd 18 API calls 5445->5446 5447 401eb3 5446->5447 5448 40603a 2 API calls 5447->5448 5449 401eb9 5448->5449 5451 401ecb 5449->5451 5452 405c94 wsprintfA 5449->5452 5452->5451 5453 40192d 5454 4029fd 18 API calls 5453->5454 5455 401934 lstrlenA 5454->5455 5456 4024cb 5455->5456 5457 4024af 5458 4029fd 18 API calls 5457->5458 5459 4024b6 5458->5459 5462 4059c7 GetFileAttributesA CreateFileA 5459->5462 5461 4024c2 5462->5461 5470 401cb0 5471 4029e0 18 API calls 5470->5471 5472 401cc0 SetWindowLongA 5471->5472 5473 402892 5472->5473 5474 401a31 5475 4029e0 18 API calls 5474->5475 5476 401a37 5475->5476 5477 4029e0 18 API calls 5476->5477 5478 4019e1 5477->5478 5479 401e32 5480 4029fd 18 API calls 5479->5480 5481 401e38 5480->5481 5482 40501f 25 API calls 5481->5482 5483 401e42 5482->5483 5484 4054e5 2 API calls 5483->5484 5488 401e48 5484->5488 5485 401e9e CloseHandle 5487 402663 5485->5487 5486 401e67 WaitForSingleObject 5486->5488 5489 401e75 GetExitCodeProcess 5486->5489 5488->5485 5488->5486 5488->5487 5490 40609a 2 API calls 5488->5490 5491 401e87 5489->5491 5492 401e90 5489->5492 5490->5486 5494 405c94 wsprintfA 5491->5494 5492->5485 5494->5492 4193 4015b3 4194 4029fd 18 API calls 4193->4194 4195 4015ba 4194->4195 4211 40585f CharNextA CharNextA 4195->4211 4197 40160a 4198 40160f 4197->4198 4201 401638 4197->4201 4200 401423 25 API calls 4198->4200 4199 4057f1 CharNextA 4202 4015d0 CreateDirectoryA 4199->4202 4203 401616 4200->4203 4206 401423 25 API calls 4201->4206 4204 4015c2 4202->4204 4205 4015e5 GetLastError 4202->4205 4217 405d36 lstrcpynA 4203->4217 4204->4197 4204->4199 4205->4204 4208 4015f2 GetFileAttributesA 4205->4208 4210 401630 4206->4210 4208->4204 4209 401621 SetCurrentDirectoryA 4209->4210 4212 40587a 4211->4212 4214 40588a 4211->4214 4212->4214 4215 405885 CharNextA 4212->4215 4213 4058aa 4213->4204 4214->4213 4216 4057f1 CharNextA 4214->4216 4215->4213 4216->4214 4217->4209 5495 404135 5496 40414b 5495->5496 5500 404257 5495->5500 5499 403fec 19 API calls 5496->5499 5497 4042c6 5498 4042d0 GetDlgItem 5497->5498 5501 40439a 5497->5501 5505 4042e6 5498->5505 5506 404358 5498->5506 5502 4041a1 5499->5502 5500->5497 5500->5501 5507 40429b GetDlgItem SendMessageA 5500->5507 5503 404053 8 API calls 5501->5503 5504 403fec 19 API calls 5502->5504 5508 404395 5503->5508 5509 4041ae CheckDlgButton 5504->5509 5505->5506 5510 40430c 6 API calls 5505->5510 5506->5501 5511 40436a 5506->5511 5526 40400e EnableWindow 5507->5526 5524 40400e EnableWindow 5509->5524 5510->5506 5514 404370 SendMessageA 5511->5514 5515 404381 5511->5515 5514->5515 5515->5508 5518 404387 SendMessageA 5515->5518 5516 4042c1 5519 4043bf SendMessageA 5516->5519 5517 4041cc GetDlgItem 5525 404021 SendMessageA 5517->5525 5518->5508 5519->5497 5521 4041e2 SendMessageA 5522 404200 GetSysColor 5521->5522 5523 404209 SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 5521->5523 5522->5523 5523->5508 5524->5517 5525->5521 5526->5516 5527 402036 5528 4029fd 18 API calls 5527->5528 5529 40203d 5528->5529 5530 4029fd 18 API calls 5529->5530 5531 402047 5530->5531 5532 4029fd 18 API calls 5531->5532 5533 402051 5532->5533 5534 4029fd 18 API calls 5533->5534 5535 40205b 5534->5535 5536 4029fd 18 API calls 5535->5536 5537 402064 5536->5537 5538 40207a CoCreateInstance 5537->5538 5539 4029fd 18 API calls 5537->5539 5542 402099 5538->5542 5543 40214d 5538->5543 5539->5538 5540 401423 25 API calls 5541 402181 5540->5541 5542->5543 5544 40212f MultiByteToWideChar 5542->5544 5543->5540 5543->5541 5544->5543 5545 4014b7 5546 4014bd 5545->5546 5547 401389 2 API calls 5546->5547 5548 4014c5 5547->5548 5549 401bb8 5550 4029e0 18 API calls 5549->5550 5551 401bbf 5550->5551 5552 4029e0 18 API calls 5551->5552 5553 401bc9 5552->5553 5554 401bd9 5553->5554 5555 4029fd 18 API calls 5553->5555 5556 4029fd 18 API calls 5554->5556 5560 401be9 5554->5560 5555->5554 5556->5560 5557 401bf4 5561 4029e0 18 API calls 5557->5561 5558 401c38 5559 4029fd 18 API calls 5558->5559 5562 401c3d 5559->5562 5560->5557 5560->5558 5563 401bf9 5561->5563 5564 4029fd 18 API calls 5562->5564 5565 4029e0 18 API calls 5563->5565 5566 401c46 FindWindowExA 5564->5566 5567 401c02 5565->5567 5570 401c64 5566->5570 5568 401c28 SendMessageA 5567->5568 5569 401c0a SendMessageTimeoutA 5567->5569 5568->5570 5569->5570 4749 40243a 4750 402b07 19 API calls 4749->4750 4751 402444 4750->4751 4752 4029e0 18 API calls 4751->4752 4753 40244d 4752->4753 4754 402457 4753->4754 4757 402663 4753->4757 4755 402470 RegEnumValueA 4754->4755 4756 402464 RegEnumKeyA 4754->4756 4755->4757 4758 402489 RegCloseKey 4755->4758 4756->4758 4758->4757 4760 40223b 4761 402243 4760->4761 4762 402249 4760->4762 4763 4029fd 18 API calls 4761->4763 4764 4029fd 18 API calls 4762->4764 4767 402259 4762->4767 4763->4762 4764->4767 4765 4029fd 18 API calls 4768 402267 4765->4768 4766 4029fd 18 API calls 4769 402270 WritePrivateProfileStringA 4766->4769 4767->4765 4767->4768 4768->4766 4855 40173f 4856 4029fd 18 API calls 4855->4856 4857 401746 4856->4857 4858 401764 4857->4858 4859 40176c 4857->4859 4894 405d36 lstrcpynA 4858->4894 4895 405d36 lstrcpynA 4859->4895 4862 40176a 4866 405fa1 5 API calls 4862->4866 4863 401777 4864 4057c6 3 API calls 4863->4864 4865 40177d lstrcatA 4864->4865 4865->4862 4887 401789 4866->4887 4867 40603a 2 API calls 4867->4887 4868 4059a2 2 API calls 4868->4887 4870 4017a0 CompareFileTime 4870->4887 4871 401864 4873 40501f 25 API calls 4871->4873 4872 40183b 4874 40501f 25 API calls 4872->4874 4881 401850 4872->4881 4875 40186e 4873->4875 4874->4881 4876 402f1f 46 API calls 4875->4876 4877 401881 4876->4877 4878 401895 SetFileTime 4877->4878 4880 4018a7 CloseHandle 4877->4880 4878->4880 4879 405d58 18 API calls 4879->4887 4880->4881 4882 4018b8 4880->4882 4884 4018d0 4882->4884 4885 4018bd 4882->4885 4883 405d36 lstrcpynA 4883->4887 4886 405d58 18 API calls 4884->4886 4888 405d58 18 API calls 4885->4888 4890 4018d8 4886->4890 4887->4867 4887->4868 4887->4870 4887->4871 4887->4872 4887->4879 4887->4883 4891 40554a MessageBoxIndirectA 4887->4891 4893 4059c7 GetFileAttributesA CreateFileA 4887->4893 4889 4018c5 lstrcatA 4888->4889 4889->4890 4892 40554a MessageBoxIndirectA 4890->4892 4891->4887 4892->4881 4893->4887 4894->4862 4895->4863 5571 40163f 5572 4029fd 18 API calls 5571->5572 5573 401645 5572->5573 5574 40603a 2 API calls 5573->5574 5575 40164b 5574->5575 5576 40193f 5577 4029e0 18 API calls 5576->5577 5578 401946 5577->5578 5579 4029e0 18 API calls 5578->5579 5580 401950 5579->5580 5581 4029fd 18 API calls 5580->5581 5582 401959 5581->5582 5583 40196c lstrlenA 5582->5583 5584 4019a7 5582->5584 5585 401976 5583->5585 5585->5584 5589 405d36 lstrcpynA 5585->5589 5587 401990 5587->5584 5588 40199d lstrlenA 5587->5588 5588->5584 5589->5587

                                              Executed Functions

                                              Function 00403217 Relevance: 80.8, APIs: 27, Strings: 19, Instructions: 337stringfilecomCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 0 403217-4032ae #17 SetErrorMode OleInitialize call 406061 SHGetFileInfoA call 405d36 GetCommandLineA call 405d36 GetModuleHandleA 7 4032b0-4032b5 0->7 8 4032ba-4032cf call 4057f1 CharNextA 0->8 7->8 11 403394-403398 8->11 12 4032d4-4032d7 11->12 13 40339e 11->13 14 4032d9-4032dd 12->14 15 4032df-4032e7 12->15 16 4033b1-4033cb GetTempPathA call 4031e3 13->16 14->14 14->15 17 4032e9-4032ea 15->17 18 4032ef-4032f2 15->18 26 403423-40343d DeleteFileA call 402c79 16->26 27 4033cd-4033eb GetWindowsDirectoryA lstrcatA call 4031e3 16->27 17->18 20 403384-403391 call 4057f1 18->20 21 4032f8-4032fc 18->21 20->11 36 403393 20->36 24 403314-403341 21->24 25 4032fe-403304 21->25 32 403343-403349 24->32 33 403354-403382 24->33 30 403306-403308 25->30 31 40330a 25->31 41 4034d1-4034e0 call 403695 OleUninitialize 26->41 42 403443-403449 26->42 27->26 44 4033ed-40341d GetTempPathA lstrcatA SetEnvironmentVariableA * 2 call 4031e3 27->44 30->24 30->31 31->24 38 40334b-40334d 32->38 39 40334f 32->39 33->20 35 4033a0-4033ac call 405d36 33->35 35->16 36->11 38->33 38->39 39->33 55 4034e6-4034f6 call 40554a ExitProcess 41->55 56 4035da-4035e0 41->56 46 4034c1-4034c8 call 403787 42->46 47 40344b-403456 call 4057f1 42->47 44->26 44->41 53 4034cd 46->53 59 403458-403481 47->59 60 40348c-403496 47->60 53->41 57 4035e6-403603 call 406061 * 3 56->57 58 40367d-403685 56->58 89 403605-403607 57->89 90 40364d-40365b call 406061 57->90 62 403687 58->62 63 40368b-40368f ExitProcess 58->63 65 403483-403485 59->65 66 403498-4034a5 call 4058b4 60->66 67 4034fc-403516 lstrcatA lstrcmpiA 60->67 62->63 65->60 70 403487-40348a 65->70 66->41 77 4034a7-4034bd call 405d36 * 2 66->77 67->41 72 403518-40352d CreateDirectoryA SetCurrentDirectoryA 67->72 70->60 70->65 73 40353a-403562 call 405d36 72->73 74 40352f-403535 call 405d36 72->74 85 403568-403584 call 405d58 DeleteFileA 73->85 74->73 77->46 95 4035c5-4035cc 85->95 96 403586-403596 CopyFileA 85->96 89->90 94 403609-40360b 89->94 101 403669-403674 ExitWindowsEx 90->101 102 40365d-403667 90->102 94->90 98 40360d-40361f GetCurrentProcess 94->98 95->85 99 4035ce-4035d5 call 405bea 95->99 96->95 100 403598-4035b8 call 405bea call 405d58 call 4054e5 96->100 98->90 107 403621-403643 98->107 99->41 100->95 117 4035ba-4035c1 CloseHandle 100->117 101->58 106 403676-403678 call 40140b 101->106 102->101 102->106 106->58 107->90 117->95
                                              APIs
                                              • #17.COMCTL32 ref: 00403238
                                              • SetErrorMode.KERNELBASE(00008001), ref: 00403243
                                              • OleInitialize.OLE32(00000000), ref: 0040324A
                                                • Part of subcall function 00406061: GetModuleHandleA.KERNEL32(?,?,?,0040325C,00000009), ref: 00406073
                                                • Part of subcall function 00406061: LoadLibraryA.KERNELBASE(?,?,?,0040325C,00000009), ref: 0040607E
                                                • Part of subcall function 00406061: GetProcAddress.KERNEL32(00000000,?), ref: 0040608F
                                              • SHGetFileInfoA.SHELL32(0041ECB8,00000000,?,00000160,00000000,00000009), ref: 00403272
                                                • Part of subcall function 00405D36: lstrcpynA.KERNEL32(?,?,00000400,00403287,00422F00,NSIS Error), ref: 00405D43
                                              • GetCommandLineA.KERNEL32(00422F00,NSIS Error), ref: 00403287
                                              • GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\Ppto.24265.exe",00000000), ref: 0040329A
                                              • CharNextA.USER32(00000000,"C:\Users\user\Desktop\Ppto.24265.exe",00000020), ref: 004032C5
                                              • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 004033C2
                                              • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004033D3
                                              • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004033DF
                                              • GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004033F3
                                              • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004033FB
                                              • SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 0040340C
                                              • SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 00403414
                                              • DeleteFileA.KERNELBASE(1033), ref: 00403428
                                              • OleUninitialize.OLE32(?), ref: 004034D6
                                              • ExitProcess.KERNEL32 ref: 004034F6
                                              • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\Ppto.24265.exe",00000000,?), ref: 00403502
                                              • lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop), ref: 0040350E
                                              • CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040351A
                                              • SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 00403521
                                              • DeleteFileA.KERNEL32(0041E8B8,0041E8B8,?,764,?), ref: 0040357A
                                              • CopyFileA.KERNEL32(C:\Users\user\Desktop\Ppto.24265.exe,0041E8B8,?), ref: 0040358E
                                              • CloseHandle.KERNEL32(00000000,0041E8B8,0041E8B8,?,0041E8B8,00000000), ref: 004035BB
                                              • GetCurrentProcess.KERNEL32(00000028,?,00000006,00000005,00000004), ref: 00403614
                                              • ExitWindowsEx.USER32(00000002,80040002), ref: 0040366C
                                              • ExitProcess.KERNEL32 ref: 0040368F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID: File$DirectoryExitHandleProcesslstrcat$CurrentDeleteEnvironmentModulePathTempVariableWindows$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextProcUninitializelstrcmpilstrcpyn
                                              • String ID: "$"C:\Users\user\Desktop\Ppto.24265.exe"$1033$764$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Ppto.24265.exe$C:\Users\user\colombians\fanwort\cherie$C:\Users\user\colombians\fanwort\cherie\Hingstefl\Eneceller$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$\Temp$`KXu$~nsu.tmp
                                              • API String ID: 4107622049-2688098459
                                              • Opcode ID: 0a4126efc7e7714b555efae386955985c927905d4936dfb5ad464eb296f58fdc
                                              • Instruction ID: 3d26bb40307c87b2cd60c260c775e6d0301d96a10e68b952128d49a18977981a
                                              • Opcode Fuzzy Hash: 0a4126efc7e7714b555efae386955985c927905d4936dfb5ad464eb296f58fdc
                                              • Instruction Fuzzy Hash: 85B107706082517AE721AF659D8DA2B3EACEB41706F04447FF541BA1E2C77C9E01CB6E
                                              Function 0040499C Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 118 40499c-4049e8 GetDlgItem * 2 119 404c08-404c0f 118->119 120 4049ee-404a82 GlobalAlloc LoadBitmapA SetWindowLongA ImageList_Create ImageList_AddMasked SendMessageA * 2 118->120 121 404c11-404c21 119->121 122 404c23 119->122 123 404a91-404a98 DeleteObject 120->123 124 404a84-404a8f SendMessageA 120->124 125 404c26-404c2f 121->125 122->125 126 404a9a-404aa2 123->126 124->123 127 404c31-404c34 125->127 128 404c3a-404c40 125->128 129 404aa4-404aa7 126->129 130 404acb-404acf 126->130 127->128 131 404d1e-404d25 127->131 134 404c42-404c49 128->134 135 404c4f-404c56 128->135 132 404aa9 129->132 133 404aac-404ac9 call 405d58 SendMessageA * 2 129->133 130->126 136 404ad1-404afd call 403fec * 2 130->136 141 404d96-404d9e 131->141 142 404d27-404d2d 131->142 132->133 133->130 134->131 134->135 138 404c58-404c5b 135->138 139 404ccb-404cce 135->139 175 404b03-404b09 136->175 176 404bc7-404bda GetWindowLongA SetWindowLongA 136->176 147 404c66-404c7b call 4048ea 138->147 148 404c5d-404c64 138->148 139->131 143 404cd0-404cda 139->143 145 404da0-404da6 SendMessageA 141->145 146 404da8-404daf 141->146 150 404d33-404d3d 142->150 151 404f7e-404f90 call 404053 142->151 153 404cea-404cf4 143->153 154 404cdc-404ce8 SendMessageA 143->154 145->146 155 404db1-404db8 146->155 156 404de3-404dea 146->156 147->139 174 404c7d-404c8e 147->174 148->139 148->147 150->151 159 404d43-404d52 SendMessageA 150->159 153->131 161 404cf6-404d00 153->161 154->153 162 404dc1-404dc8 155->162 163 404dba-404dbb ImageList_Destroy 155->163 166 404f40-404f47 156->166 167 404df0-404dfc call 4011ef 156->167 159->151 168 404d58-404d69 SendMessageA 159->168 170 404d11-404d1b 161->170 171 404d02-404d0f 161->171 172 404dd1-404ddd 162->172 173 404dca-404dcb GlobalFree 162->173 163->162 166->151 169 404f49-404f50 166->169 193 404e0c-404e0f 167->193 194 404dfe-404e01 167->194 178 404d73-404d75 168->178 179 404d6b-404d71 168->179 169->151 181 404f52-404f7c ShowWindow GetDlgItem ShowWindow 169->181 170->131 171->131 172->156 173->172 174->139 183 404c90-404c92 174->183 184 404b0c-404b12 175->184 182 404be0-404be4 176->182 180 404d76-404d8f call 401299 SendMessageA 178->180 179->178 179->180 180->141 181->151 187 404be6-404bf9 ShowWindow call 404021 182->187 188 404bfe-404c06 call 404021 182->188 189 404c94-404c9b 183->189 190 404ca5 183->190 191 404ba8-404bbb 184->191 192 404b18-404b40 184->192 187->151 188->119 203 404ca1-404ca3 189->203 204 404c9d-404c9f 189->204 207 404ca8-404cc4 call 40117d 190->207 191->184 198 404bc1-404bc5 191->198 205 404b42-404b78 SendMessageA 192->205 206 404b7a-404b7c 192->206 199 404e50-404e74 call 4011ef 193->199 200 404e11-404e2a call 4012e2 call 401299 193->200 195 404e03 194->195 196 404e04-404e07 call 40496a 194->196 195->196 196->193 198->176 198->182 219 404f16-404f2a InvalidateRect 199->219 220 404e7a 199->220 228 404e3a-404e49 SendMessageA 200->228 229 404e2c-404e32 200->229 203->207 204->207 205->191 208 404b7e-404b8d SendMessageA 206->208 209 404b8f-404ba5 SendMessageA 206->209 207->139 208->191 209->191 219->166 224 404f2c-404f3b call 4048bd call 4048a5 219->224 222 404e7d-404e88 220->222 225 404e8a-404e99 222->225 226 404efe-404f10 222->226 224->166 230 404e9b-404ea8 225->230 231 404eac-404eaf 225->231 226->219 226->222 228->199 232 404e34 229->232 233 404e35-404e38 229->233 230->231 235 404eb1-404eb4 231->235 236 404eb6-404ebf 231->236 232->233 233->228 233->229 238 404ec4-404efc SendMessageA * 2 235->238 236->238 239 404ec1 236->239 238->226 239->238
                                              APIs
                                              • GetDlgItem.USER32(?,000003F9), ref: 004049B4
                                              • GetDlgItem.USER32(?,00000408), ref: 004049BF
                                              • GlobalAlloc.KERNEL32(00000040,?), ref: 00404A09
                                              • LoadBitmapA.USER32(0000006E), ref: 00404A1C
                                              • SetWindowLongA.USER32(?,000000FC,00404F93), ref: 00404A35
                                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A49
                                              • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404A5B
                                              • SendMessageA.USER32(?,00001109,00000002), ref: 00404A71
                                              • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404A7D
                                              • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404A8F
                                              • DeleteObject.GDI32(00000000), ref: 00404A92
                                              • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404ABD
                                              • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404AC9
                                              • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404B5E
                                              • SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404B89
                                              • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404B9D
                                              • GetWindowLongA.USER32(?,000000F0), ref: 00404BCC
                                              • SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404BDA
                                              • ShowWindow.USER32(?,00000005), ref: 00404BEB
                                              • SendMessageA.USER32(?,00000419,00000000,?), ref: 00404CE8
                                              • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404D4D
                                              • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404D62
                                              • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404D86
                                              • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404DA6
                                              • ImageList_Destroy.COMCTL32(?), ref: 00404DBB
                                              • GlobalFree.KERNEL32(?), ref: 00404DCB
                                              • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404E44
                                              • SendMessageA.USER32(?,00001102,?,?), ref: 00404EED
                                              • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404EFC
                                              • InvalidateRect.USER32(?,00000000,?), ref: 00404F1C
                                              • ShowWindow.USER32(?,00000000), ref: 00404F6A
                                              • GetDlgItem.USER32(?,000003FE), ref: 00404F75
                                              • ShowWindow.USER32(00000000), ref: 00404F7C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                              • String ID: $M$N
                                              • API String ID: 1638840714-813528018
                                              • Opcode ID: f96aeeab4a25318005a3a9f7b7ecea2fbdc3284bb246aef355b8d85046c4ff9d
                                              • Instruction ID: ec1b41ef9246f4b5ca9c31e675ea93c5522bc938a585a88f05d0904c7564d9ec
                                              • Opcode Fuzzy Hash: f96aeeab4a25318005a3a9f7b7ecea2fbdc3284bb246aef355b8d85046c4ff9d
                                              • Instruction Fuzzy Hash: 7A025FB0900209AFEB10DF94DC85AAE7BB5FB84315F10817AFA10B62E1D7789D42DF58
                                              Function 00405D58 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 199stringCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 485 405d58-405d63 486 405d65-405d74 485->486 487 405d76-405d8b 485->487 486->487 488 405d91-405d9c 487->488 489 405f7e-405f82 487->489 488->489 490 405da2-405da9 488->490 491 405f88-405f92 489->491 492 405dae-405db8 489->492 490->489 494 405f94-405f98 call 405d36 491->494 495 405f9d-405f9e 491->495 492->491 493 405dbe-405dc5 492->493 497 405f71 493->497 498 405dcb-405e00 493->498 494->495 499 405f73-405f79 497->499 500 405f7b-405f7d 497->500 501 405e06-405e11 GetVersion 498->501 502 405f1b-405f1e 498->502 499->489 500->489 503 405e13-405e17 501->503 504 405e2b 501->504 505 405f20-405f23 502->505 506 405f4e-405f51 502->506 503->504 510 405e19-405e1d 503->510 507 405e32-405e39 504->507 511 405f33-405f3f call 405d36 505->511 512 405f25-405f31 call 405c94 505->512 508 405f53-405f5a call 405d58 506->508 509 405f5f-405f6f lstrlenA 506->509 514 405e3b-405e3d 507->514 515 405e3e-405e40 507->515 508->509 509->489 510->504 518 405e1f-405e23 510->518 522 405f44-405f4a 511->522 512->522 514->515 520 405e42-405e5d call 405c1d 515->520 521 405e79-405e7c 515->521 518->504 523 405e25-405e29 518->523 528 405e62-405e65 520->528 526 405e8c-405e8f 521->526 527 405e7e-405e8a GetSystemDirectoryA 521->527 522->509 525 405f4c 522->525 523->507 529 405f13-405f19 call 405fa1 525->529 531 405e91-405e9f GetWindowsDirectoryA 526->531 532 405ef9-405efb 526->532 530 405efd-405f00 527->530 533 405f02-405f06 528->533 534 405e6b-405e74 call 405d58 528->534 529->509 530->529 530->533 531->532 532->530 535 405ea1-405eab 532->535 533->529 538 405f08-405f0e lstrcatA 533->538 534->530 540 405ec5-405edb SHGetSpecialFolderLocation 535->540 541 405ead-405eb0 535->541 538->529 543 405ef6 540->543 544 405edd-405ef4 SHGetPathFromIDListA CoTaskMemFree 540->544 541->540 542 405eb2-405eb9 541->542 546 405ec1-405ec3 542->546 543->532 544->530 544->543 546->530 546->540
                                              APIs
                                              • GetVersion.KERNEL32(?,0041F4D8,00000000,00405057,0041F4D8,00000000), ref: 00405E09
                                              • GetSystemDirectoryA.KERNEL32(Call,00000400), ref: 00405E84
                                              • GetWindowsDirectoryA.KERNEL32(Call,00000400), ref: 00405E97
                                              • SHGetSpecialFolderLocation.SHELL32(?,00000000), ref: 00405ED3
                                              • SHGetPathFromIDListA.SHELL32(00000000,Call), ref: 00405EE1
                                              • CoTaskMemFree.OLE32(00000000), ref: 00405EEC
                                              • lstrcatA.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00405F0E
                                              • lstrlenA.KERNEL32(Call,?,0041F4D8,00000000,00405057,0041F4D8,00000000), ref: 00405F60
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                                              • String ID: 764$Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                              • API String ID: 900638850-4040697301
                                              • Opcode ID: 0d90defceccf7a3314d6588998510e1a0ef65c4c2f55f086f079bc5466073577
                                              • Instruction ID: 9c0e267699f90c8e910d98bdf84d4b8f2614ab6024826f89c9d009b20b1e8bc4
                                              • Opcode Fuzzy Hash: 0d90defceccf7a3314d6588998510e1a0ef65c4c2f55f086f079bc5466073577
                                              • Instruction Fuzzy Hash: 10610571A04905ABDF215F64DC84B7B3BA8DB55304F10813BE641B62D1D33C4A42DF9E
                                              Function 004055F6 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159filestringCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 547 4055f6-40561c call 4058b4 550 405635-40563c 547->550 551 40561e-405630 DeleteFileA 547->551 553 40563e-405640 550->553 554 40564f-40565f call 405d36 550->554 552 4057bf-4057c3 551->552 555 405646-405649 553->555 556 40576d-405772 553->556 562 405661-40566c lstrcatA 554->562 563 40566e-40566f call 40580d 554->563 555->554 555->556 556->552 559 405774-405777 556->559 560 405781-405789 call 40603a 559->560 561 405779-40577f 559->561 560->552 570 40578b-40579f call 4057c6 call 4055ae 560->570 561->552 565 405674-405677 562->565 563->565 568 405682-405688 lstrcatA 565->568 569 405679-405680 565->569 571 40568d-4056ab lstrlenA FindFirstFileA 568->571 569->568 569->571 586 4057a1-4057a4 570->586 587 4057b7-4057ba call 40501f 570->587 573 4056b1-4056c8 call 4057f1 571->573 574 405763-405767 571->574 580 4056d3-4056d6 573->580 581 4056ca-4056ce 573->581 574->556 576 405769 574->576 576->556 584 4056d8-4056dd 580->584 585 4056e9-4056f7 call 405d36 580->585 581->580 583 4056d0 581->583 583->580 589 405742-405754 FindNextFileA 584->589 590 4056df-4056e1 584->590 597 4056f9-405701 585->597 598 40570e-405719 call 4055ae 585->598 586->561 592 4057a6-4057b5 call 40501f call 405bea 586->592 587->552 589->573 595 40575a-40575d FindClose 589->595 590->585 593 4056e3-4056e7 590->593 592->552 593->585 593->589 595->574 597->589 600 405703-40570c call 4055f6 597->600 606 40573a-40573d call 40501f 598->606 607 40571b-40571e 598->607 600->589 606->589 609 405720-405730 call 40501f call 405bea 607->609 610 405732-405738 607->610 609->589 610->589
                                              APIs
                                              • DeleteFileA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,75572EE0,00000000), ref: 0040561F
                                              • lstrcatA.KERNEL32(00420D00,\*.*,00420D00,?,?,C:\Users\user\AppData\Local\Temp\,75572EE0,00000000), ref: 00405667
                                              • lstrcatA.KERNEL32(?,00409014,?,00420D00,?,?,C:\Users\user\AppData\Local\Temp\,75572EE0,00000000), ref: 00405688
                                              • lstrlenA.KERNEL32(?,?,00409014,?,00420D00,?,?,C:\Users\user\AppData\Local\Temp\,75572EE0,00000000), ref: 0040568E
                                              • FindFirstFileA.KERNELBASE(00420D00,?,?,?,00409014,?,00420D00,?,?,C:\Users\user\AppData\Local\Temp\,75572EE0,00000000), ref: 0040569F
                                              • FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 0040574C
                                              • FindClose.KERNEL32(00000000), ref: 0040575D
                                              Strings
                                              • "C:\Users\user\Desktop\Ppto.24265.exe", xrefs: 004055F6
                                              • \*.*, xrefs: 00405661
                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 00405604
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                              • String ID: "C:\Users\user\Desktop\Ppto.24265.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
                                              • API String ID: 2035342205-319101817
                                              • Opcode ID: 2c0e135ab85e8c1b684459b6fe88bffee4ab9643b255028ced496145508b1eab
                                              • Instruction ID: a1a18f6d4a87cf364f513f4d5348cf8987bf6841df45d5f239a42b9e89fe31fb
                                              • Opcode Fuzzy Hash: 2c0e135ab85e8c1b684459b6fe88bffee4ab9643b255028ced496145508b1eab
                                              • Instruction Fuzzy Hash: 8051D230905A04FADB216B618C89BBF7AB8DF42714F54803BF445721D2D73C4942EE6E
                                              Function 00401F68 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73libraryloaderCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 718 401f68-401f74 719 401f7a-401f90 call 4029fd * 2 718->719 720 40202f-402031 718->720 729 401f92-401f9d GetModuleHandleA 719->729 730 401f9f-401fad LoadLibraryExA 719->730 722 40217c-402181 call 401423 720->722 727 402892-4028a1 722->727 729->730 733 401faf-401fbc GetProcAddress 729->733 730->733 734 402028-40202a 730->734 735 401ffb-402000 call 40501f 733->735 736 401fbe-401fc4 733->736 734->722 740 402005-402008 735->740 738 401fc6-401fd2 call 401423 736->738 739 401fdd-401ff4 call 100016bd 736->739 738->740 748 401fd4-401fdb 738->748 742 401ff6-401ff9 739->742 740->727 743 40200e-402016 call 403727 740->743 742->740 743->727 749 40201c-402023 FreeLibrary 743->749 748->740 749->727
                                              APIs
                                              • GetModuleHandleA.KERNELBASE(00000000,?,000000F0), ref: 00401F93
                                                • Part of subcall function 0040501F: lstrlenA.KERNEL32(0041F4D8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000,?), ref: 00405058
                                                • Part of subcall function 0040501F: lstrlenA.KERNEL32(00402C51,0041F4D8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000), ref: 00405068
                                                • Part of subcall function 0040501F: lstrcatA.KERNEL32(0041F4D8,00402C51,00402C51,0041F4D8,00000000,00000000,00000000), ref: 0040507B
                                                • Part of subcall function 0040501F: SetWindowTextA.USER32(0041F4D8,0041F4D8), ref: 0040508D
                                                • Part of subcall function 0040501F: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004050B3
                                                • Part of subcall function 0040501F: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004050CD
                                                • Part of subcall function 0040501F: SendMessageA.USER32(?,00001013,?,00000000), ref: 004050DB
                                              • LoadLibraryExA.KERNELBASE(00000000,?,00000008,?,000000F0), ref: 00401FA3
                                              • GetProcAddress.KERNEL32(00000000,?), ref: 00401FB3
                                              • FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,?,000000F0), ref: 0040201D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                              • String ID: 764
                                              • API String ID: 2987980305-1993166791
                                              • Opcode ID: e7c1e4d0ce04850edca59b4c71a899c8ea1bd56f486492b93205a8c30fafac59
                                              • Instruction ID: 23a464ffe6ca8440643a385a127484fd4ee8ad6b227fb7efa4d26ad3fc5b3ac3
                                              • Opcode Fuzzy Hash: e7c1e4d0ce04850edca59b4c71a899c8ea1bd56f486492b93205a8c30fafac59
                                              • Instruction Fuzzy Hash: D7210872904211BACF107FA48E49A6E39B0AB44358F60823BF601B62D1D7BC4941AA6E
                                              Function 00406310 Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 743aa33a108d29f9cab5e819e308a9554fb8e98817c33194d1e30fb36f92eda3
                                              • Instruction ID: 49e2905b870d629617cd54a3ad4ea64d750052a334705c7e6b68d35cedeefd19
                                              • Opcode Fuzzy Hash: 743aa33a108d29f9cab5e819e308a9554fb8e98817c33194d1e30fb36f92eda3
                                              • Instruction Fuzzy Hash: 28F17970D00229CBCF28CFA8C8946ADBBB1FF45305F25856ED856BB281D3785A96CF45
                                              Function 0040603A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindFirstFileA.KERNELBASE(?,00421548,C:\Users\user\AppData\Local\Temp\nsv5087.tmp,004058F7,C:\Users\user\AppData\Local\Temp\nsv5087.tmp,C:\Users\user\AppData\Local\Temp\nsv5087.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsv5087.tmp,C:\Users\user\AppData\Local\Temp\nsv5087.tmp,?,?,75572EE0,00405616,?,C:\Users\user\AppData\Local\Temp\,75572EE0), ref: 00406045
                                              • FindClose.KERNELBASE(00000000), ref: 00406051
                                              Strings
                                              • C:\Users\user\AppData\Local\Temp\nsv5087.tmp, xrefs: 0040603A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID: Find$CloseFileFirst
                                              • String ID: C:\Users\user\AppData\Local\Temp\nsv5087.tmp
                                              • API String ID: 2295610775-2698442286
                                              • Opcode ID: 1aa7e4dc1003f693668b82639e535814eeaefdc3a4332bebb0b1aa5890d42f5a
                                              • Instruction ID: ffb9975cce6792308ede9dbdbab0a2e32819aea082b360212a672f9e7c6ece7a
                                              • Opcode Fuzzy Hash: 1aa7e4dc1003f693668b82639e535814eeaefdc3a4332bebb0b1aa5890d42f5a
                                              • Instruction Fuzzy Hash: 7BD012319490306BC3106B787C0C85B7A599F573317118A33B56AF12F0C7389C7286ED
                                              Function 00406061 Relevance: 4.5, APIs: 3, Instructions: 20libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleA.KERNEL32(?,?,?,0040325C,00000009), ref: 00406073
                                              • LoadLibraryA.KERNELBASE(?,?,?,0040325C,00000009), ref: 0040607E
                                              • GetProcAddress.KERNEL32(00000000,?), ref: 0040608F
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID: AddressHandleLibraryLoadModuleProc
                                              • String ID:
                                              • API String ID: 310444273-0
                                              • Opcode ID: 14778026069da28af87b9950d589da7dca929d2a00fc8d83b3a738ce3464f0c4
                                              • Instruction ID: 2c1b19e4de550b622e70843c6ca25527790cfa0381149662c4593fbace01eca7
                                              • Opcode Fuzzy Hash: 14778026069da28af87b9950d589da7dca929d2a00fc8d83b3a738ce3464f0c4
                                              • Instruction Fuzzy Hash: 00E0C232A04211ABC321AB749D48D3B73ACAFD8751309493EF50AF6150D734AC21EBBA
                                              Function 00403787 Relevance: 49.2, APIs: 15, Strings: 13, Instructions: 216stringregistrylibraryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 240 403787-40379f call 406061 243 4037a1-4037b1 call 405c94 240->243 244 4037b3-4037e4 call 405c1d 240->244 252 403807-403830 call 403a4c call 4058b4 243->252 248 4037e6-4037f7 call 405c1d 244->248 249 4037fc-403802 lstrcatA 244->249 248->249 249->252 258 403836-40383b 252->258 259 4038b7-4038bf call 4058b4 252->259 258->259 260 40383d-403861 call 405c1d 258->260 264 4038c1-4038c8 call 405d58 259->264 265 4038cd-4038f2 LoadImageA 259->265 260->259 270 403863-403865 260->270 264->265 268 403973-40397b call 40140b 265->268 269 4038f4-403924 RegisterClassA 265->269 283 403985-403990 call 403a4c 268->283 284 40397d-403980 268->284 273 403a42 269->273 274 40392a-40396e SystemParametersInfoA CreateWindowExA 269->274 271 403876-403882 lstrlenA 270->271 272 403867-403874 call 4057f1 270->272 277 403884-403892 lstrcmpiA 271->277 278 4038aa-4038b2 call 4057c6 call 405d36 271->278 272->271 280 403a44-403a4b 273->280 274->268 277->278 282 403894-40389e GetFileAttributesA 277->282 278->259 286 4038a0-4038a2 282->286 287 4038a4-4038a5 call 40580d 282->287 293 403996-4039b3 ShowWindow LoadLibraryA 283->293 294 403a19-403a21 call 4050f1 283->294 284->280 286->278 286->287 287->278 296 4039b5-4039ba LoadLibraryA 293->296 297 4039bc-4039ce GetClassInfoA 293->297 302 403a23-403a29 294->302 303 403a3b-403a3d call 40140b 294->303 296->297 299 4039d0-4039e0 GetClassInfoA RegisterClassA 297->299 300 4039e6-403a09 DialogBoxParamA call 40140b 297->300 299->300 304 403a0e-403a17 call 4036d7 300->304 302->284 305 403a2f-403a36 call 40140b 302->305 303->273 304->280 305->284
                                              APIs
                                                • Part of subcall function 00406061: GetModuleHandleA.KERNEL32(?,?,?,0040325C,00000009), ref: 00406073
                                                • Part of subcall function 00406061: LoadLibraryA.KERNELBASE(?,?,?,0040325C,00000009), ref: 0040607E
                                                • Part of subcall function 00406061: GetProcAddress.KERNEL32(00000000,?), ref: 0040608F
                                              • lstrcatA.KERNEL32(1033,0041FCF8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0041FCF8,00000000,00000002,C:\Users\user\AppData\Local\Temp\,75573410,"C:\Users\user\Desktop\Ppto.24265.exe",00000000), ref: 00403802
                                              • lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\colombians\fanwort\cherie,1033,0041FCF8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0041FCF8,00000000,00000002,C:\Users\user\AppData\Local\Temp\), ref: 00403877
                                              • lstrcmpiA.KERNEL32(?,.exe), ref: 0040388A
                                              • GetFileAttributesA.KERNEL32(Call), ref: 00403895
                                              • LoadImageA.USER32(00000067,?,00000000,00000000,00008040,C:\Users\user\colombians\fanwort\cherie), ref: 004038DE
                                                • Part of subcall function 00405C94: wsprintfA.USER32 ref: 00405CA1
                                              • RegisterClassA.USER32(00422EA0), ref: 0040391B
                                              • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403933
                                              • CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403968
                                              • ShowWindow.USER32(00000005,00000000), ref: 0040399E
                                              • LoadLibraryA.KERNELBASE(RichEd20), ref: 004039AF
                                              • LoadLibraryA.KERNEL32(RichEd32), ref: 004039BA
                                              • GetClassInfoA.USER32(00000000,RichEdit20A,00422EA0), ref: 004039CA
                                              • GetClassInfoA.USER32(00000000,RichEdit,00422EA0), ref: 004039D7
                                              • RegisterClassA.USER32(00422EA0), ref: 004039E0
                                              • DialogBoxParamA.USER32(?,00000000,00403B19,00000000), ref: 004039FF
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                              • String ID: "C:\Users\user\Desktop\Ppto.24265.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\colombians\fanwort\cherie$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                              • API String ID: 914957316-2872116926
                                              • Opcode ID: 4a258d8796fa34fddb02ec2619d55facefc74f4564d7f9f136a4b3ccd76ffb40
                                              • Instruction ID: 361ceaa5e45529a70bb989737ed67fdedcb7c759bf8cf29c3cde223c60b7be46
                                              • Opcode Fuzzy Hash: 4a258d8796fa34fddb02ec2619d55facefc74f4564d7f9f136a4b3ccd76ffb40
                                              • Instruction Fuzzy Hash: E661E6B16442007EE720AF659D45F273E6CEB8475AF40407FF941B22E2D67C9D02DA6E
                                              Function 00403B19 Relevance: 48.3, APIs: 32, Instructions: 345windowstringCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 311 403b19-403b2b 312 403b31-403b37 311->312 313 403c6c-403c7b 311->313 312->313 314 403b3d-403b46 312->314 315 403cca-403cdf 313->315 316 403c7d-403cc5 GetDlgItem * 2 call 403fec SetClassLongA call 40140b 313->316 317 403b48-403b55 SetWindowPos 314->317 318 403b5b-403b5e 314->318 320 403ce1-403ce4 315->320 321 403d1f-403d24 call 404038 315->321 316->315 317->318 323 403b60-403b72 ShowWindow 318->323 324 403b78-403b7e 318->324 326 403ce6-403cf1 call 401389 320->326 327 403d17-403d19 320->327 329 403d29-403d44 321->329 323->324 330 403b80-403b95 DestroyWindow 324->330 331 403b9a-403b9d 324->331 326->327 342 403cf3-403d12 SendMessageA 326->342 327->321 328 403fb9 327->328 336 403fbb-403fc2 328->336 334 403d46-403d48 call 40140b 329->334 335 403d4d-403d53 329->335 337 403f96-403f9c 330->337 339 403bb0-403bb6 331->339 340 403b9f-403bab SetWindowLongA 331->340 334->335 345 403f77-403f90 DestroyWindow EndDialog 335->345 346 403d59-403d64 335->346 337->328 343 403f9e-403fa4 337->343 347 403c59-403c67 call 404053 339->347 348 403bbc-403bcd GetDlgItem 339->348 340->336 342->336 343->328 350 403fa6-403faf ShowWindow 343->350 345->337 346->345 351 403d6a-403db7 call 405d58 call 403fec * 3 GetDlgItem 346->351 347->336 352 403bec-403bef 348->352 353 403bcf-403be6 SendMessageA IsWindowEnabled 348->353 350->328 381 403dc1-403dfd ShowWindow KiUserCallbackDispatcher call 40400e EnableWindow 351->381 382 403db9-403dbe 351->382 354 403bf1-403bf2 352->354 355 403bf4-403bf7 352->355 353->328 353->352 358 403c22-403c27 call 403fc5 354->358 359 403c05-403c0a 355->359 360 403bf9-403bff 355->360 358->347 362 403c40-403c53 SendMessageA 359->362 364 403c0c-403c12 359->364 360->362 363 403c01-403c03 360->363 362->347 363->358 367 403c14-403c1a call 40140b 364->367 368 403c29-403c32 call 40140b 364->368 379 403c20 367->379 368->347 377 403c34-403c3e 368->377 377->379 379->358 385 403e02 381->385 386 403dff-403e00 381->386 382->381 387 403e04-403e32 GetSystemMenu EnableMenuItem SendMessageA 385->387 386->387 388 403e34-403e45 SendMessageA 387->388 389 403e47 387->389 390 403e4d-403e86 call 404021 call 405d36 lstrlenA call 405d58 SetWindowTextA call 401389 388->390 389->390 390->329 399 403e8c-403e8e 390->399 399->329 400 403e94-403e98 399->400 401 403eb7-403ecb DestroyWindow 400->401 402 403e9a-403ea0 400->402 401->337 404 403ed1-403efe CreateDialogParamA 401->404 402->328 403 403ea6-403eac 402->403 403->329 405 403eb2 403->405 404->337 406 403f04-403f5b call 403fec GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 404->406 405->328 406->328 411 403f5d-403f75 ShowWindow call 404038 406->411 411->337
                                              APIs
                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403B55
                                              • ShowWindow.USER32(?), ref: 00403B72
                                              • DestroyWindow.USER32 ref: 00403B86
                                              • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403BA2
                                              • GetDlgItem.USER32(?,?), ref: 00403BC3
                                              • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403BD7
                                              • IsWindowEnabled.USER32(00000000), ref: 00403BDE
                                              • GetDlgItem.USER32(?,?), ref: 00403C8C
                                              • GetDlgItem.USER32(?,00000002), ref: 00403C96
                                              • SetClassLongA.USER32(?,000000F2,?), ref: 00403CB0
                                              • SendMessageA.USER32(0000040F,00000000,?,?), ref: 00403D01
                                              • GetDlgItem.USER32(?,00000003), ref: 00403DA7
                                              • ShowWindow.USER32(00000000,?), ref: 00403DC8
                                              • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403DDA
                                              • EnableWindow.USER32(?,?), ref: 00403DF5
                                              • GetSystemMenu.USER32(?,00000000,0000F060,?), ref: 00403E0B
                                              • EnableMenuItem.USER32(00000000), ref: 00403E12
                                              • SendMessageA.USER32(?,000000F4,00000000,?), ref: 00403E2A
                                              • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403E3D
                                              • lstrlenA.KERNEL32(0041FCF8,?,0041FCF8,00422F00), ref: 00403E66
                                              • SetWindowTextA.USER32(?,0041FCF8), ref: 00403E75
                                              • ShowWindow.USER32(?,0000000A), ref: 00403FA9
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                              • String ID:
                                              • API String ID: 3282139019-0
                                              • Opcode ID: 0715b8fe610bdd71fae90ba33bb4a09e8b5ebb3c50d1a2f397537002d346961d
                                              • Instruction ID: 1f8690e76de68066656ca8d54ad2d010e53819933bf2384d883f7e4ba9537b83
                                              • Opcode Fuzzy Hash: 0715b8fe610bdd71fae90ba33bb4a09e8b5ebb3c50d1a2f397537002d346961d
                                              • Instruction Fuzzy Hash: 17C1C071A04205BBDB21AF21ED48D2B7EBCFB44706F40443EF601B11E1C7799942AB6E
                                              Function 00402C79 Relevance: 28.2, APIs: 5, Strings: 11, Instructions: 203memoryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 414 402c79-402cc7 GetTickCount GetModuleFileNameA call 4059c7 417 402cd3-402d01 call 405d36 call 40580d call 405d36 GetFileSize 414->417 418 402cc9-402cce 414->418 426 402df1-402dff call 402bda 417->426 427 402d07-402d1e 417->427 419 402f18-402f1c 418->419 433 402ed0-402ed5 426->433 434 402e05-402e08 426->434 429 402d20 427->429 430 402d22-402d2f call 4031b6 427->430 429->430 438 402d35-402d3b 430->438 439 402e8c-402e94 call 402bda 430->439 433->419 436 402e34-402e80 GlobalAlloc call 406141 call 4059f6 CreateFileA 434->436 437 402e0a-402e22 call 4031cc call 4031b6 434->437 463 402e82-402e87 436->463 464 402e96-402ec6 call 4031cc call 402f1f 436->464 437->433 466 402e28-402e2e 437->466 443 402dbb-402dbf 438->443 444 402d3d-402d55 call 405982 438->444 439->433 447 402dc1-402dc7 call 402bda 443->447 448 402dc8-402dce 443->448 444->448 459 402d57-402d5e 444->459 447->448 455 402dd0-402dde call 4060d3 448->455 456 402de1-402deb 448->456 455->456 456->426 456->427 459->448 465 402d60-402d67 459->465 463->419 474 402ecb-402ece 464->474 465->448 467 402d69-402d70 465->467 466->433 466->436 467->448 469 402d72-402d79 467->469 469->448 471 402d7b-402d9b 469->471 471->433 473 402da1-402da5 471->473 475 402da7-402dab 473->475 476 402dad-402db5 473->476 474->433 477 402ed7-402ee8 474->477 475->426 475->476 476->448 478 402db7-402db9 476->478 479 402ef0-402ef5 477->479 480 402eea 477->480 478->448 481 402ef6-402efc 479->481 480->479 481->481 482 402efe-402f16 call 405982 481->482 482->419
                                              APIs
                                              • GetTickCount.KERNEL32 ref: 00402C8D
                                              • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\Ppto.24265.exe,00000400), ref: 00402CA9
                                                • Part of subcall function 004059C7: GetFileAttributesA.KERNELBASE(00000003,00402CBC,C:\Users\user\Desktop\Ppto.24265.exe,80000000,00000003), ref: 004059CB
                                                • Part of subcall function 004059C7: CreateFileA.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 004059ED
                                              • GetFileSize.KERNEL32(00000000,00000000,0042B000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Ppto.24265.exe,C:\Users\user\Desktop\Ppto.24265.exe,80000000,00000003), ref: 00402CF2
                                              • GlobalAlloc.KERNELBASE(00000040,00409130), ref: 00402E39
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                              • String ID: "C:\Users\user\Desktop\Ppto.24265.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Ppto.24265.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$SR'$soft
                                              • API String ID: 2803837635-2829816842
                                              • Opcode ID: 91e4b9dee6fe50fd73dc962a53e9cdaf65c065133738040780962d54176249d0
                                              • Instruction ID: 2a27acbe37a486d3f9fadad6f2898e15cdcbef103c1943e89973ac3215dbffb0
                                              • Opcode Fuzzy Hash: 91e4b9dee6fe50fd73dc962a53e9cdaf65c065133738040780962d54176249d0
                                              • Instruction Fuzzy Hash: BC61C671A40205ABDF20AF64DE89B9A76B4EF00315F20413BF904B72D1D7BC9E418BAD
                                              Function 0040173F Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 147stringtimeCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 616 40173f-401762 call 4029fd call 405833 621 401764-40176a call 405d36 616->621 622 40176c-40177e call 405d36 call 4057c6 lstrcatA 616->622 628 401783-401789 call 405fa1 621->628 622->628 632 40178e-401792 628->632 633 401794-40179e call 40603a 632->633 634 4017c5-4017c8 632->634 642 4017b0-4017c2 633->642 643 4017a0-4017ae CompareFileTime 633->643 636 4017d0-4017ec call 4059c7 634->636 637 4017ca-4017cb call 4059a2 634->637 644 401864-40188d call 40501f call 402f1f 636->644 645 4017ee-4017f1 636->645 637->636 642->634 643->642 659 401895-4018a1 SetFileTime 644->659 660 40188f-401893 644->660 646 4017f3-401835 call 405d36 * 2 call 405d58 call 405d36 call 40554a 645->646 647 401846-401850 call 40501f 645->647 646->632 680 40183b-40183c 646->680 657 401859-40185f 647->657 661 40289b 657->661 663 4018a7-4018b2 CloseHandle 659->663 660->659 660->663 664 40289d-4028a1 661->664 666 402892-402895 663->666 667 4018b8-4018bb 663->667 666->661 669 4018d0-4018d3 call 405d58 667->669 670 4018bd-4018ce call 405d58 lstrcatA 667->670 675 4018d8-40222b call 40554a 669->675 670->675 675->664 680->657 682 40183e-40183f 680->682 682->647
                                              APIs
                                              • lstrcatA.KERNEL32(00000000,00000000,Call,C:\Users\user\colombians\fanwort\cherie\Hingstefl\Eneceller,00000000,00000000,00000031), ref: 0040177E
                                              • CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\colombians\fanwort\cherie\Hingstefl\Eneceller,00000000,00000000,00000031), ref: 004017A8
                                                • Part of subcall function 00405D36: lstrcpynA.KERNEL32(?,?,00000400,00403287,00422F00,NSIS Error), ref: 00405D43
                                                • Part of subcall function 0040501F: lstrlenA.KERNEL32(0041F4D8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000,?), ref: 00405058
                                                • Part of subcall function 0040501F: lstrlenA.KERNEL32(00402C51,0041F4D8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000), ref: 00405068
                                                • Part of subcall function 0040501F: lstrcatA.KERNEL32(0041F4D8,00402C51,00402C51,0041F4D8,00000000,00000000,00000000), ref: 0040507B
                                                • Part of subcall function 0040501F: SetWindowTextA.USER32(0041F4D8,0041F4D8), ref: 0040508D
                                                • Part of subcall function 0040501F: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004050B3
                                                • Part of subcall function 0040501F: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004050CD
                                                • Part of subcall function 0040501F: SendMessageA.USER32(?,00001013,?,00000000), ref: 004050DB
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                              • String ID: 764$C:\Users\user\AppData\Local\Temp\nsv5087.tmp$C:\Users\user\AppData\Local\Temp\nsv5087.tmp\System.dll$C:\Users\user\colombians\fanwort\cherie\Hingstefl\Eneceller$Call
                                              • API String ID: 1941528284-3947977560
                                              • Opcode ID: cec972a2b1698894bf5ae45e109c831223027fdbe68364e7f7d85183dc249dda
                                              • Instruction ID: 7da2985f373e49f587e0f88560f455237d5d3a700d2e38046b33ad83bb6d7614
                                              • Opcode Fuzzy Hash: cec972a2b1698894bf5ae45e109c831223027fdbe68364e7f7d85183dc249dda
                                              • Instruction Fuzzy Hash: 0341B871910515BACF10BFA5DC46DAF3679DF41369F20823BF511F10E1D63C8A419A6E
                                              Function 0040303A Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108fileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 683 40303a-403063 GetTickCount 684 4031a4-4031ac call 402bda 683->684 685 403069-403094 call 4031cc SetFilePointer 683->685 690 4031ae-4031b3 684->690 691 403099-4030ab 685->691 692 4030ad 691->692 693 4030af-4030bd call 4031b6 691->693 692->693 696 4030c3-4030cf 693->696 697 403196-403199 693->697 698 4030d5-4030db 696->698 697->690 699 403106-403122 call 406161 698->699 700 4030dd-4030e3 698->700 706 403124-40312c 699->706 707 40319f 699->707 700->699 701 4030e5-403105 call 402bda 700->701 701->699 709 403160-403166 706->709 710 40312e-403144 WriteFile 706->710 708 4031a1-4031a2 707->708 708->690 709->707 713 403168-40316a 709->713 711 403146-40314a 710->711 712 40319b-40319d 710->712 711->712 714 40314c-403158 711->714 712->708 713->707 715 40316c-40317f 713->715 714->698 716 40315e 714->716 715->691 717 403185-403194 SetFilePointer 715->717 716->715 717->684
                                              APIs
                                              • GetTickCount.KERNEL32 ref: 0040304F
                                                • Part of subcall function 004031CC: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402EA4,?), ref: 004031DA
                                              • SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,?,00402F52,00000004,00000000,00000000,?,?,?,00402ECB,000000FF,00000000,00000000), ref: 00403082
                                              • WriteFile.KERNELBASE(0040A8A0,0040B856,00000000,00000000,004128A0,00004000,?,00000000,?,00402F52,00000004,00000000,00000000,?,?), ref: 0040313C
                                              • SetFilePointer.KERNELBASE(00275253,00000000,00000000,004128A0,00004000,?,00000000,?,00402F52,00000004,00000000,00000000,?,?,?,00402ECB), ref: 0040318E
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID: File$Pointer$CountTickWrite
                                              • String ID: SR'
                                              • API String ID: 2146148272-3158098758
                                              • Opcode ID: 24d90e6fe24fc4b927ba7929ca5aee42abf3264703176f7c86ada2f370568673
                                              • Instruction ID: 01a25493adf58fb9a894681412e440a2e883d4234beea4965eba9eb13e735820
                                              • Opcode Fuzzy Hash: 24d90e6fe24fc4b927ba7929ca5aee42abf3264703176f7c86ada2f370568673
                                              • Instruction Fuzzy Hash: CC414F725052019FDB10BF29EE849663BFCFB4431A715863BE810BA2E4D7389D52CB5E
                                              Function 0040231C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71registrystringCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 751 40231c-402362 call 402af2 call 4029fd * 2 RegCreateKeyExA 758 402892-4028a1 751->758 759 402368-402370 751->759 760 402380-402383 759->760 761 402372-40237f call 4029fd lstrlenA 759->761 765 402393-402396 760->765 766 402385-402392 call 4029e0 760->766 761->760 767 4023a7-4023bb RegSetValueExA 765->767 768 402398-4023a2 call 402f1f 765->768 766->765 772 4023c0-402496 RegCloseKey 767->772 773 4023bd 767->773 768->767 772->758 776 402663-40266a 772->776 773->772 776->758
                                              APIs
                                              • RegCreateKeyExA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040235A
                                              • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsv5087.tmp,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 0040237A
                                              • RegSetValueExA.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsv5087.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023B3
                                              • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsv5087.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402490
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID: CloseCreateValuelstrlen
                                              • String ID: C:\Users\user\AppData\Local\Temp\nsv5087.tmp
                                              • API String ID: 1356686001-2698442286
                                              • Opcode ID: d31aa366e37b9b3f9fe6114590fb4958bdebd1bd222923d910175118945ab26d
                                              • Instruction ID: 937c1904c824b73ffe337d2eacc138a1f8ac1658d2030852d1a46e58dbdf142b
                                              • Opcode Fuzzy Hash: d31aa366e37b9b3f9fe6114590fb4958bdebd1bd222923d910175118945ab26d
                                              • Instruction Fuzzy Hash: D71172B1E00118BFEB10EFA4DE89EAF7678FB50358F10413AF905B61D1D7B85D41A668
                                              Function 004015B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 777 4015b3-4015c6 call 4029fd call 40585f 782 4015c8-4015e3 call 4057f1 CreateDirectoryA 777->782 783 40160a-40160d 777->783 791 401600-401608 782->791 792 4015e5-4015f0 GetLastError 782->792 784 401638-402181 call 401423 783->784 785 40160f-40162a call 401423 call 405d36 SetCurrentDirectoryA 783->785 798 402892-4028a1 784->798 785->798 800 401630-401633 785->800 791->782 791->783 795 4015f2-4015fb GetFileAttributesA 792->795 796 4015fd 792->796 795->791 795->796 796->791 800->798
                                              APIs
                                                • Part of subcall function 0040585F: CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsv5087.tmp,?,004058CB,C:\Users\user\AppData\Local\Temp\nsv5087.tmp,C:\Users\user\AppData\Local\Temp\nsv5087.tmp,?,?,75572EE0,00405616,?,C:\Users\user\AppData\Local\Temp\,75572EE0,00000000), ref: 0040586D
                                                • Part of subcall function 0040585F: CharNextA.USER32(00000000), ref: 00405872
                                                • Part of subcall function 0040585F: CharNextA.USER32(00000000), ref: 00405886
                                              • CreateDirectoryA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015DB
                                              • GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015E5
                                              • GetFileAttributesA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015F3
                                              • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\colombians\fanwort\cherie\Hingstefl\Eneceller,00000000,00000000,000000F0), ref: 00401622
                                              Strings
                                              • C:\Users\user\colombians\fanwort\cherie\Hingstefl\Eneceller, xrefs: 00401617
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
                                              • String ID: C:\Users\user\colombians\fanwort\cherie\Hingstefl\Eneceller
                                              • API String ID: 3751793516-2148869255
                                              • Opcode ID: f487aee257ff3a5fd45e2d792e3146d7acb6b48aa19e6adaf005dd1823c69d49
                                              • Instruction ID: decf54c0780f34986dcb1f6dc2400c6331eb5c21fa926316ee50895bb5337331
                                              • Opcode Fuzzy Hash: f487aee257ff3a5fd45e2d792e3146d7acb6b48aa19e6adaf005dd1823c69d49
                                              • Instruction Fuzzy Hash: CE11E931908150ABDB217F755D4496F67B4EA62365728473FF891B22D2C23C4D42E62E
                                              Function 004059F6 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 803 4059f6-405a00 804 405a01-405a2c GetTickCount GetTempFileNameA 803->804 805 405a3b-405a3d 804->805 806 405a2e-405a30 804->806 808 405a35-405a38 805->808 806->804 807 405a32 806->807 807->808
                                              APIs
                                              • GetTickCount.KERNEL32 ref: 00405A0A
                                              • GetTempFileNameA.KERNELBASE(?,?,00000000,?), ref: 00405A24
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID: CountFileNameTempTick
                                              • String ID: "C:\Users\user\Desktop\Ppto.24265.exe"$C:\Users\user\AppData\Local\Temp\$nsa
                                              • API String ID: 1716503409-3424441590
                                              • Opcode ID: 41eb4eacc2b5e04bba23a072be30983b5b4707d802c2e92527758f248babbe87
                                              • Instruction ID: 2f7b9810ed7c5924072585cf2130ed1295747d9915b618abfa336aedeca5813d
                                              • Opcode Fuzzy Hash: 41eb4eacc2b5e04bba23a072be30983b5b4707d802c2e92527758f248babbe87
                                              • Instruction Fuzzy Hash: C1F0E2327482487BDB008F1ADC44B9B7B9CDF91710F00C03BF904AA280D2B0A8008B68
                                              Function 100016BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 809 100016bd-100016f9 call 10001a5d 813 1000180a-1000180c 809->813 814 100016ff-10001703 809->814 815 10001705-1000170b call 100021b0 814->815 816 1000170c-10001719 call 100021fa 814->816 815->816 821 10001749-10001750 816->821 822 1000171b-10001720 816->822 823 10001770-10001774 821->823 824 10001752-1000176e call 100023da call 10001559 call 10001266 GlobalFree 821->824 825 10001722-10001723 822->825 826 1000173b-1000173e 822->826 831 100017b2-100017b8 call 100023da 823->831 832 10001776-100017b0 call 10001559 call 100023da 823->832 848 100017b9-100017bd 824->848 829 10001725-10001726 825->829 830 1000172b-1000172c call 100027ec 825->830 826->821 827 10001740-10001741 call 10002aa7 826->827 840 10001746 827->840 836 10001733-10001739 call 1000258d 829->836 837 10001728-10001729 829->837 843 10001731 830->843 831->848 832->848 847 10001748 836->847 837->821 837->830 840->847 843->840 847->821 852 100017fa-10001801 848->852 853 100017bf-100017cd call 100023a0 848->853 852->813 855 10001803-10001804 GlobalFree 852->855 859 100017e5-100017ec 853->859 860 100017cf-100017d2 853->860 855->813 859->852 862 100017ee-100017f9 call 100014e2 859->862 860->859 861 100017d4-100017dc 860->861 861->859 863 100017de-100017df FreeLibrary 861->863 862->852 863->859
                                              APIs
                                                • Part of subcall function 10001A5D: GlobalFree.KERNEL32(?), ref: 10001CC4
                                                • Part of subcall function 10001A5D: GlobalFree.KERNEL32(?), ref: 10001CC9
                                                • Part of subcall function 10001A5D: GlobalFree.KERNEL32(?), ref: 10001CCE
                                              • GlobalFree.KERNEL32(00000000), ref: 10001768
                                              • FreeLibrary.KERNEL32(?), ref: 100017DF
                                              • GlobalFree.KERNEL32(00000000), ref: 10001804
                                                • Part of subcall function 100021B0: GlobalAlloc.KERNEL32(00000040,7D8BEC45), ref: 100021E2
                                                • Part of subcall function 1000258D: GlobalAlloc.KERNEL32(00000040,?,?,?,00000000,?,?,?,?,10001739,00000000), ref: 100025FF
                                                • Part of subcall function 10001559: lstrcpyA.KERNEL32(00000000,?,00000000,10001695,00000000), ref: 10001572
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2421076785.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                              • Associated: 00000000.00000002.2421054832.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                              • Associated: 00000000.00000002.2421092882.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                              • Associated: 00000000.00000002.2421108342.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_10000000_Ppto.jbxd
                                              Similarity
                                              • API ID: Global$Free$Alloc$Librarylstrcpy
                                              • String ID:
                                              • API String ID: 1791698881-3916222277
                                              • Opcode ID: 5c34708dbc5c14fa42f4b7439be41c1509afaedaf37bf6653e8bb29f9fa28a01
                                              • Instruction ID: 946e86dc2be410c0748ecba0c1d48508df540d87c222276c6f0f58241c559a10
                                              • Opcode Fuzzy Hash: 5c34708dbc5c14fa42f4b7439be41c1509afaedaf37bf6653e8bb29f9fa28a01
                                              • Instruction Fuzzy Hash: C5318B79408205DAFB41DF649CC5BCA37ECFB042D5F018465FA0A9A09ADF78A8458A60
                                              Function 00402F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 95fileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 866 402f1f-402f2d 867 402f4b-402f54 call 40303a 866->867 868 402f2f-402f45 SetFilePointer 866->868 871 403034-403037 867->871 872 402f5a-402f6d call 405a3f 867->872 868->867 875 403020 872->875 876 402f73-402f87 call 40303a 872->876 878 403022-403023 875->878 876->871 880 402f8d-402f90 876->880 878->871 881 402f92-402f95 880->881 882 402ffc-403002 880->882 885 403031 881->885 886 402f9b 881->886 883 403004 882->883 884 403007-40301e ReadFile 882->884 883->884 884->875 887 403025-40302e 884->887 885->871 888 402fa0-402faa 886->888 887->885 889 402fb1-402fc3 call 405a3f 888->889 890 402fac 888->890 889->875 893 402fc5-402fda WriteFile 889->893 890->889 894 402ff8-402ffa 893->894 895 402fdc-402fdf 893->895 894->878 895->894 896 402fe1-402ff4 895->896 896->888 897 402ff6 896->897 897->885
                                              APIs
                                              • SetFilePointer.KERNELBASE(00409130,00000000,00000000,00000000,00000000,?,?,?,00402ECB,000000FF,00000000,00000000,00409130,?), ref: 00402F45
                                              • WriteFile.KERNELBASE(00000000,004128A0,?,000000FF,00000000,004128A0,00004000,00409130,00409130,00000004,00000004,00000000,00000000,?,?), ref: 00402FD2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID: File$PointerWrite
                                              • String ID: SR'
                                              • API String ID: 539440098-3158098758
                                              • Opcode ID: 41928112f34441f9b3539e2a42aa88ab340ce8e3764aaba8d566e6229e32b04b
                                              • Instruction ID: 3b6e370e410e3f669d4a968ba26e16673121f6254c39c59cd6eb20204b18cf3c
                                              • Opcode Fuzzy Hash: 41928112f34441f9b3539e2a42aa88ab340ce8e3764aaba8d566e6229e32b04b
                                              • Instruction Fuzzy Hash: 14313931502259FFDF20DF55DD44A9E3BA8EF04395F20403AF908A61D0D2789A41EBA9
                                              Function 00404F93 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • IsWindowVisible.USER32(?), ref: 00404FC2
                                              • CallWindowProcA.USER32(?,?,?,?), ref: 00405013
                                                • Part of subcall function 00404038: SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 0040404A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID: Window$CallMessageProcSendVisible
                                              • String ID:
                                              • API String ID: 3748168415-3916222277
                                              • Opcode ID: a1366604d20516d7a227b416e124a8c8ccbf6a8c92e3cea699473ae65b9a4b61
                                              • Instruction ID: 01da3f5901ddaf9404fa7d81b8fd4ad62d8e53e58d7af57a61279808ed2d7cb1
                                              • Opcode Fuzzy Hash: a1366604d20516d7a227b416e124a8c8ccbf6a8c92e3cea699473ae65b9a4b61
                                              • Instruction Fuzzy Hash: EA018F7110020DABDF209F11DC85E9F3B6AF784758F208037FA04752D1D77A8C92AAAE
                                              Function 004031E3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00405FA1: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Ppto.24265.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031EF,C:\Users\user\AppData\Local\Temp\,75573410,004033C9), ref: 00405FF9
                                                • Part of subcall function 00405FA1: CharNextA.USER32(?,?,?,00000000), ref: 00406006
                                                • Part of subcall function 00405FA1: CharNextA.USER32(?,"C:\Users\user\Desktop\Ppto.24265.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031EF,C:\Users\user\AppData\Local\Temp\,75573410,004033C9), ref: 0040600B
                                                • Part of subcall function 00405FA1: CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031EF,C:\Users\user\AppData\Local\Temp\,75573410,004033C9), ref: 0040601B
                                              • CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75573410,004033C9), ref: 00403204
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID: Char$Next$CreateDirectoryPrev
                                              • String ID: 1033$C:\Users\user\AppData\Local\Temp\
                                              • API String ID: 4115351271-3144792594
                                              • Opcode ID: ee23c129dd8a5d49f4f649e38bc420fd14e59507522fd77197c34cef7b8656a6
                                              • Instruction ID: 89773af62672bbf6302d30782f314b1c1bc42d6855f09756152acd8bf908297a
                                              • Opcode Fuzzy Hash: ee23c129dd8a5d49f4f649e38bc420fd14e59507522fd77197c34cef7b8656a6
                                              • Instruction Fuzzy Hash: 24D0C71290AD3066D5513B6A7C46FCF050C8F4675DF11807BF904751C58F6C555395EF
                                              Function 00406745 Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fa6151eb6114a7c7dde5596e7ed141339a6810161cd6e35f889c2edb9118ca88
                                              • Instruction ID: d3f30c549e8eaa155af2d8805db43d359078549a114e1d1e4cfdde4495a9482f
                                              • Opcode Fuzzy Hash: fa6151eb6114a7c7dde5596e7ed141339a6810161cd6e35f889c2edb9118ca88
                                              • Instruction Fuzzy Hash: 13A14471E00228CBDF28DFA8C8447ADBBB1FB45305F15816ED816BB281D7785A96DF44
                                              Function 00406946 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e9dede487193b96133ea94438acbc75bab27e7ac1b94d370ef06066709f64446
                                              • Instruction ID: 66af66db22d428e7cee4185570621c0262e28a8f97ef0091af547b150b1cef7f
                                              • Opcode Fuzzy Hash: e9dede487193b96133ea94438acbc75bab27e7ac1b94d370ef06066709f64446
                                              • Instruction Fuzzy Hash: 7F912170E00228CBDF28DF98C8947ADBBB1FB45305F15816ED816BB281C7786A96DF44
                                              Function 0040665C Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d2d995426ddd841542114576c7cd3986778113386b5e0d0d2bb3b42046c5d03f
                                              • Instruction ID: 36158da5dd70985ab85e2c4d41886ca33cae813362c0b87a96f868d92fb05337
                                              • Opcode Fuzzy Hash: d2d995426ddd841542114576c7cd3986778113386b5e0d0d2bb3b42046c5d03f
                                              • Instruction Fuzzy Hash: 65815771D00228CFDF24CFA8C8847ADBBB1FB45305F25816AD816BB281D778A996DF15
                                              Function 00406161 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 68ae08bc292ff831ddf939399879833efa26d2e617e1386947dce183f6739e75
                                              • Instruction ID: 1715bfb1c3d5716620224504c503b3d15fe2aa0a2bbcc08a305e6ffc6cb4203b
                                              • Opcode Fuzzy Hash: 68ae08bc292ff831ddf939399879833efa26d2e617e1386947dce183f6739e75
                                              • Instruction Fuzzy Hash: 53817771D00228DBDF24CFA8C8447ADBBB0FB44301F2581AED856BB281D7786A96DF45
                                              Function 004065AF Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2929f55d3e8b81ac1e584e7399a4f2facda7d772583105b5c0ec75abe6cb9a93
                                              • Instruction ID: 032b7c8430df6362c90b97cb5f8c3133674bcd2d0f853081a3cdcc23126a0f5c
                                              • Opcode Fuzzy Hash: 2929f55d3e8b81ac1e584e7399a4f2facda7d772583105b5c0ec75abe6cb9a93
                                              • Instruction Fuzzy Hash: 87711371D00228CFDF24CF98C8847ADBBB1FB48305F15806AD816BB281D7785996DF45
                                              Function 004066CD Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 948a468c2091db2feb9fa4c22586628b65dd678cc983fa395508304452d62250
                                              • Instruction ID: 3e9dbefe820a1d4baf734be7fb741bb2fb66d8e6f9ed59188b506b6c9edb630d
                                              • Opcode Fuzzy Hash: 948a468c2091db2feb9fa4c22586628b65dd678cc983fa395508304452d62250
                                              • Instruction Fuzzy Hash: AB711371E00228CBDF28CF98C884BADBBB1FB44305F15816ED816BB281D7786996DF45
                                              Function 00406619 Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2d63a3d575cf43ccaec2b316c623d79440d1cb8ee82c5371297a3fda91248972
                                              • Instruction ID: 1812ff5f5430a706778d8acc512246fd3c212bc7acfdfbe5d0fa3af8c8d1a12f
                                              • Opcode Fuzzy Hash: 2d63a3d575cf43ccaec2b316c623d79440d1cb8ee82c5371297a3fda91248972
                                              • Instruction Fuzzy Hash: AD712471E00228CBDF28DF98C844BADBBB1FB44305F15806ED856BB291C7786A96DF45
                                              Function 00405C1D Relevance: 4.5, APIs: 3, Instructions: 45registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegOpenKeyExA.KERNELBASE(80000002,00405E62,00000000,00000002,?,00000002,?,?,00405E62,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405C46
                                              • RegQueryValueExA.KERNELBASE(?,?,00000000,00405E62,?,00405E62), ref: 00405C67
                                              • RegCloseKey.KERNELBASE(?), ref: 00405C88
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID: CloseOpenQueryValue
                                              • String ID:
                                              • API String ID: 3677997916-0
                                              • Opcode ID: a7dc294ab98d1aedf48ab84cf89b8b0d9a3be53888eb2216a8b2e534b80ab0d4
                                              • Instruction ID: f8269c4da42e469e915d7b724f411cb256963c2af92f405d5d85614ed9ec7fb6
                                              • Opcode Fuzzy Hash: a7dc294ab98d1aedf48ab84cf89b8b0d9a3be53888eb2216a8b2e534b80ab0d4
                                              • Instruction Fuzzy Hash: 8801487114420EEFEB128F64EC44EEB3FACEF15394F00402AF945A6220D235D964DBA5
                                              Function 0040243A Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00402B07: RegOpenKeyExA.KERNELBASE(00000000,0000045A,00000000,00000022,00000000,?,?), ref: 00402B2F
                                              • RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 00402468
                                              • RegEnumValueA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,00000003), ref: 0040247B
                                              • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsv5087.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402490
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID: Enum$CloseOpenValue
                                              • String ID:
                                              • API String ID: 167947723-0
                                              • Opcode ID: b0503ed8fed7191b353e6d857336c99de9bffc4a20b41f49547501c9e8f7120f
                                              • Instruction ID: 09a8887cd5e4729410dcfabe5c46d2a670465c21522258ca6cdcbf1033b2090e
                                              • Opcode Fuzzy Hash: b0503ed8fed7191b353e6d857336c99de9bffc4a20b41f49547501c9e8f7120f
                                              • Instruction Fuzzy Hash: E8F08671904204FFD7119F659D8CEBF7A6CEB40748F10453EF441B62C0D6B95E41966A
                                              Function 00401DD8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41COMMON
                                              Download Yara Rule
                                              APIs
                                              • ShellExecuteA.SHELL32(?,00000000,00000000,00000000,C:\Users\user\colombians\fanwort\cherie\Hingstefl\Eneceller,?), ref: 00401E1E
                                              Strings
                                              • C:\Users\user\colombians\fanwort\cherie\Hingstefl\Eneceller, xrefs: 00401E09
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID: ExecuteShell
                                              • String ID: C:\Users\user\colombians\fanwort\cherie\Hingstefl\Eneceller
                                              • API String ID: 587946157-2148869255
                                              • Opcode ID: bf1bb7fc3e0d69df3513955d991da7be16cc49fcc131c6671f61e1151589d76a
                                              • Instruction ID: 92cbb6ba42742382510c3a8e41a68a30635fa0dc9ae6a59fa4a75f74f7b170a3
                                              • Opcode Fuzzy Hash: bf1bb7fc3e0d69df3513955d991da7be16cc49fcc131c6671f61e1151589d76a
                                              • Instruction Fuzzy Hash: 8DF0F6B3B041047ACB41ABB59E4AE5D2BA4EB41718F240A3BF400F71C2DAFC8841F728
                                              Function 100027EC Relevance: 3.2, APIs: 2, Instructions: 156fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileA.KERNELBASE(00000000), ref: 100028AB
                                              • GetLastError.KERNEL32 ref: 100029B2
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2421076785.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                              • Associated: 00000000.00000002.2421054832.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                              • Associated: 00000000.00000002.2421092882.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                              • Associated: 00000000.00000002.2421108342.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_10000000_Ppto.jbxd
                                              Similarity
                                              • API ID: CreateErrorFileLast
                                              • String ID:
                                              • API String ID: 1214770103-0
                                              • Opcode ID: 10da2a693ced731503c2d5b3de2f7fe8e431c949d2a6016fe146597bbe82a282
                                              • Instruction ID: 2b4501ff186f60f2b29b8b71d76009b37135a14f8b8ad132536a4a21bb517402
                                              • Opcode Fuzzy Hash: 10da2a693ced731503c2d5b3de2f7fe8e431c949d2a6016fe146597bbe82a282
                                              • Instruction Fuzzy Hash: 9E51A4BA908214DFFB14DF60DCC5B5937A8EB443D4F218429EA08E725DDF38A981CB94
                                              Function 004023C8 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00402B07: RegOpenKeyExA.KERNELBASE(00000000,0000045A,00000000,00000022,00000000,?,?), ref: 00402B2F
                                              • RegQueryValueExA.KERNELBASE(00000000,00000000,?,?,?,?), ref: 004023F8
                                              • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsv5087.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402490
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID: CloseOpenQueryValue
                                              • String ID:
                                              • API String ID: 3677997916-0
                                              • Opcode ID: 3508a0e9496fdcf2b87e3162a9db813811e076d6f54de7cbfb084efcf7dc77d8
                                              • Instruction ID: 6e7bf8a8071b86039a0630bdde8d6c62460c4efec4bb82e40fe4d514ce07d4c8
                                              • Opcode Fuzzy Hash: 3508a0e9496fdcf2b87e3162a9db813811e076d6f54de7cbfb084efcf7dc77d8
                                              • Instruction Fuzzy Hash: 6711C171905205EFDB11DF60CA889BEBBB4EF00344F20843FE441B62C0D2B84A41EB6A
                                              Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                              • SendMessageA.USER32(?,00000402,00000000), ref: 004013F4
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID: MessageSend
                                              • String ID:
                                              • API String ID: 3850602802-0
                                              • Opcode ID: a519dadb84f5fbb5742ded63e05e15cde03a873041ee9604df24846d4002906c
                                              • Instruction ID: da56ad7cfcb2a9fecb994a09e4a0bd113f750103611445cd7b28aada07ee45e3
                                              • Opcode Fuzzy Hash: a519dadb84f5fbb5742ded63e05e15cde03a873041ee9604df24846d4002906c
                                              • Instruction Fuzzy Hash: 2E012831B24210ABE7294B389D04B6A369CE710328F11823BF811F72F1D6B8DC42DB4D
                                              Function 00401DAC Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                              Download Yara Rule
                                              APIs
                                              • ShowWindow.USER32(00000000,00000000,?), ref: 00401DC2
                                              • EnableWindow.USER32(00000000,00000000), ref: 00401DCD
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID: Window$EnableShow
                                              • String ID:
                                              • API String ID: 1136574915-0
                                              • Opcode ID: c6481de3b2b51c751ee50e75985596145f399553e3c283b57367eaa578fd6938
                                              • Instruction ID: 18ac702c75a7039fec00373c4f699ed09bc4c8ec852dd7b5b9a0ef8cb6e9c66a
                                              • Opcode Fuzzy Hash: c6481de3b2b51c751ee50e75985596145f399553e3c283b57367eaa578fd6938
                                              • Instruction Fuzzy Hash: 39E0CD72B04110EBCB10BBB45D4A55E3374DF10359B10443BF501F11C1D2B85C40565D
                                              Function 004059C7 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetFileAttributesA.KERNELBASE(00000003,00402CBC,C:\Users\user\Desktop\Ppto.24265.exe,80000000,00000003), ref: 004059CB
                                              • CreateFileA.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 004059ED
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID: File$AttributesCreate
                                              • String ID:
                                              • API String ID: 415043291-0
                                              • Opcode ID: b262a0f40d66ad03986e5cb00ab33bb84fd1bf9937e58ea257525f7228853690
                                              • Instruction ID: 21e5f81f3e52fa2c8f9e5bc24a994218dd140026ef3a1e453d479de883aad6ce
                                              • Opcode Fuzzy Hash: b262a0f40d66ad03986e5cb00ab33bb84fd1bf9937e58ea257525f7228853690
                                              • Instruction Fuzzy Hash: 94D09E31668301AFEF098F20DD16F2E7BA2EB84B00F10562CB682D40E0D6755815DB16
                                              Function 004059A2 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetFileAttributesA.KERNELBASE(?,?,004055BA,?,?,00000000,0040579D,?,?,?,?), ref: 004059A7
                                              • SetFileAttributesA.KERNEL32(?,00000000), ref: 004059BB
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID: AttributesFile
                                              • String ID:
                                              • API String ID: 3188754299-0
                                              • Opcode ID: 9001e84463e5b3d4dd00ca1d2e00f3bb66c1d6c16300b22364f3152d7eb201de
                                              • Instruction ID: a98ca5448702c3e829ea1667e49b0be7f6aa4c87fef4348ac0342a167d80fd98
                                              • Opcode Fuzzy Hash: 9001e84463e5b3d4dd00ca1d2e00f3bb66c1d6c16300b22364f3152d7eb201de
                                              • Instruction Fuzzy Hash: 19D0C9B2918120EBC2102728AD0889BBF69EB542717018B31F865A22B0C7304C52DAA9
                                              Function 00402519 Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID: wsprintf
                                              • String ID:
                                              • API String ID: 2111968516-0
                                              • Opcode ID: 782d5d7a015de57d641f2625727537b2e8a64e8a203226d51b7ee4238bd53e1d
                                              • Instruction ID: 80d1f72451bcef36c881c8715d37a41c16cfaf5c23ac720a97db8ffa6bd4d959
                                              • Opcode Fuzzy Hash: 782d5d7a015de57d641f2625727537b2e8a64e8a203226d51b7ee4238bd53e1d
                                              • Instruction Fuzzy Hash: C121D870D05295BEDF229F644A581EEBBB09B05304F64407FE491BA3C5E1BC9A82CB2D
                                              Function 0040223B Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                              Download Yara Rule
                                              APIs
                                              • WritePrivateProfileStringA.KERNEL32(00000000,00000000,?,00000000), ref: 00402274
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID: PrivateProfileStringWrite
                                              • String ID:
                                              • API String ID: 390214022-0
                                              • Opcode ID: 9ff6483e56f83e050050973c75d29e7e6846100e3a8c6593062fb544488b0e4d
                                              • Instruction ID: 05d4d75dbd01593bae97f630dbecede8c42f44da552b6d0f9ca4defc7305ba5b
                                              • Opcode Fuzzy Hash: 9ff6483e56f83e050050973c75d29e7e6846100e3a8c6593062fb544488b0e4d
                                              • Instruction Fuzzy Hash: 2FE04F72B001696ADB903AF18F8DD7F21597B84304F15067EF611B62C2D9BC0D81A2B9
                                              Function 004025D3 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetFilePointer.KERNELBASE(00000000,?,00000000,00000002,?,?), ref: 004025ED
                                                • Part of subcall function 00405C94: wsprintfA.USER32 ref: 00405CA1
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID: FilePointerwsprintf
                                              • String ID:
                                              • API String ID: 327478801-0
                                              • Opcode ID: f6b622efafe1ba94147637c824cd162c2e50e451d5b8b7382d4d1d46b47572d6
                                              • Instruction ID: 0a8c9e11f48196ea829b02b8213bca88da5b23a5d36cc3de3ae654890f4390ea
                                              • Opcode Fuzzy Hash: f6b622efafe1ba94147637c824cd162c2e50e451d5b8b7382d4d1d46b47572d6
                                              • Instruction Fuzzy Hash: E4E04FB6A04220BBDB01BBA59E4ADBF6768EB50309B14853BF501F40C1D3BD4802962E
                                              Function 00402B07 Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegOpenKeyExA.KERNELBASE(00000000,0000045A,00000000,00000022,00000000,?,?), ref: 00402B2F
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID: Open
                                              • String ID:
                                              • API String ID: 71445658-0
                                              • Opcode ID: ebfeba3ed9c8d95cb46d76ca19a6c1a04daa5e79448631d0a062a8db0bedbb5d
                                              • Instruction ID: 087740a894708ae54e311fe38564fcb001a0ed9e3d0f4d4a62d19f1d4de25a1d
                                              • Opcode Fuzzy Hash: ebfeba3ed9c8d95cb46d76ca19a6c1a04daa5e79448631d0a062a8db0bedbb5d
                                              • Instruction Fuzzy Hash: 38E046B6250108AADB40EFA4EE4AF9537ECFB04700F008021BA08E7091CA78E5509B69
                                              Function 00405A3F Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • ReadFile.KERNELBASE(00409130,00000000,00000000,00000000,00000000,004128A0,0040A8A0,004031C9,00409130,00409130,004030BB,004128A0,00004000,?,00000000,?), ref: 00405A53
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID: FileRead
                                              • String ID:
                                              • API String ID: 2738559852-0
                                              • Opcode ID: 36ce21e0183dc59356ed1b7b138b7ffe2bb5c4fd6ccae5392a8977301763c5ee
                                              • Instruction ID: 55609983f428609d3339a900fe5ea2c3161a13bcf9e808ef2cae39733250456b
                                              • Opcode Fuzzy Hash: 36ce21e0183dc59356ed1b7b138b7ffe2bb5c4fd6ccae5392a8977301763c5ee
                                              • Instruction Fuzzy Hash: F7E08C3231025AABDF109EA09C40AEB3B6CEB00760F084432FA14E2040D230E9218FA5
                                              Function 1000270F Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualProtect.KERNELBASE(1000404C,00000004,00000040,1000403C), ref: 1000272D
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2421076785.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                              • Associated: 00000000.00000002.2421054832.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                              • Associated: 00000000.00000002.2421092882.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                              • Associated: 00000000.00000002.2421108342.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_10000000_Ppto.jbxd
                                              Similarity
                                              • API ID: ProtectVirtual
                                              • String ID:
                                              • API String ID: 544645111-0
                                              • Opcode ID: 18430b4f65034898945c85cbd496d0600587ffef3804861361c874148a7acf75
                                              • Instruction ID: 4dab7c069dd6fc30f8915db09394f7f991a1b088a201bba37056324bf7fcc065
                                              • Opcode Fuzzy Hash: 18430b4f65034898945c85cbd496d0600587ffef3804861361c874148a7acf75
                                              • Instruction Fuzzy Hash: 98F09BF19092A0DEF360DF688CC47063FE4E3993D5B03852AE358F6269EB7441448B19
                                              Function 00401595 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetFileAttributesA.KERNELBASE(00000000,?,000000F0), ref: 004015A0
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID: AttributesFile
                                              • String ID:
                                              • API String ID: 3188754299-0
                                              • Opcode ID: 73dd263cc16519303ec7764465a471deb27e32fa1ac2c7a341e96c07e1019198
                                              • Instruction ID: bed2877986d8c12a83e01492d596720214e57a472dec7050afa6ab6fccae40cd
                                              • Opcode Fuzzy Hash: 73dd263cc16519303ec7764465a471deb27e32fa1ac2c7a341e96c07e1019198
                                              • Instruction Fuzzy Hash: 17D01277B08114E7DB00DBB5AE48A9E73A4FB50325F208637D111F11D0D3B98551A629
                                              Function 00404021 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageA.USER32(00000028,?,?,00403E52), ref: 0040402F
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID: MessageSend
                                              • String ID:
                                              • API String ID: 3850602802-0
                                              • Opcode ID: 3bdb3c033a7d800f3f5983e71921b41162ac414239058931643885a1338ef954
                                              • Instruction ID: 7b5ccc39adf6f72de5191684d4495c6b43ffe58f78915606d69c4a7e6f44d702
                                              • Opcode Fuzzy Hash: 3bdb3c033a7d800f3f5983e71921b41162ac414239058931643885a1338ef954
                                              • Instruction Fuzzy Hash: F3B092B5684200BAEE224B40DD09F457EA2E7A4702F008024B300240B0C6B200A1DB19
                                              Function 004031CC Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402EA4,?), ref: 004031DA
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID: FilePointer
                                              • String ID:
                                              • API String ID: 973152223-0
                                              • Opcode ID: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
                                              • Instruction ID: 49fdcfdf8b1973cd13611e97ba0bfafd8618b6cb304eeeee9131019f9f046fb0
                                              • Opcode Fuzzy Hash: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
                                              • Instruction Fuzzy Hash: 03B01271644200BFDA214F00DF05F057B21A790700F10C030B748380F082712420EB4D
                                              Function 004014D6 Relevance: 1.3, APIs: 1, Instructions: 17sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • Sleep.KERNELBASE(00000000), ref: 004014E5
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID: Sleep
                                              • String ID:
                                              • API String ID: 3472027048-0
                                              • Opcode ID: 89a3138968292bab01d7131142a88cb84c5e6bf95ef28c2e228963085d41211d
                                              • Instruction ID: 4daead48d26ae6742cc4751adb680189456718570d67c7320b978f12710e1ab5
                                              • Opcode Fuzzy Hash: 89a3138968292bab01d7131142a88cb84c5e6bf95ef28c2e228963085d41211d
                                              • Instruction Fuzzy Hash: DFD0C7B7B141006BD750E7B86E8545A73E8F75135A7148837D502E1191D17DC9415519

                                              Non-executed Functions

                                              Function 0040515D Relevance: 54.3, APIs: 36, Instructions: 282windowclipboardmemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDlgItem.USER32(?,00000403), ref: 004051BC
                                              • GetDlgItem.USER32(?,000003EE), ref: 004051CB
                                              • GetClientRect.USER32(?,?), ref: 00405208
                                              • GetSystemMetrics.USER32(00000002), ref: 0040520F
                                              • SendMessageA.USER32(?,0000101B,00000000,?), ref: 00405230
                                              • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00405241
                                              • SendMessageA.USER32(?,00001001,00000000,?), ref: 00405254
                                              • SendMessageA.USER32(?,00001026,00000000,?), ref: 00405262
                                              • SendMessageA.USER32(?,00001024,00000000,?), ref: 00405275
                                              • ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405297
                                              • ShowWindow.USER32(?,00000008), ref: 004052AB
                                              • GetDlgItem.USER32(?,000003EC), ref: 004052CC
                                              • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 004052DC
                                              • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004052F5
                                              • SendMessageA.USER32(00000000,00002001,00000000,?), ref: 00405301
                                              • GetDlgItem.USER32(?,000003F8), ref: 004051DA
                                                • Part of subcall function 00404021: SendMessageA.USER32(00000028,?,?,00403E52), ref: 0040402F
                                              • GetDlgItem.USER32(?,000003EC), ref: 0040531D
                                              • CreateThread.KERNEL32(00000000,00000000,Function_000050F1,00000000), ref: 0040532B
                                              • CloseHandle.KERNEL32(00000000), ref: 00405332
                                              • ShowWindow.USER32(00000000), ref: 00405355
                                              • ShowWindow.USER32(?,00000008), ref: 0040535C
                                              • ShowWindow.USER32(00000008), ref: 004053A2
                                              • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004053D6
                                              • CreatePopupMenu.USER32 ref: 004053E7
                                              • AppendMenuA.USER32(00000000,00000000,?,00000000), ref: 004053FC
                                              • GetWindowRect.USER32(?,000000FF), ref: 0040541C
                                              • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405435
                                              • SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405471
                                              • OpenClipboard.USER32(00000000), ref: 00405481
                                              • EmptyClipboard.USER32 ref: 00405487
                                              • GlobalAlloc.KERNEL32(00000042,?), ref: 00405490
                                              • GlobalLock.KERNEL32(00000000), ref: 0040549A
                                              • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004054AE
                                              • GlobalUnlock.KERNEL32(00000000), ref: 004054C7
                                              • SetClipboardData.USER32(?,00000000), ref: 004054D2
                                              • CloseClipboard.USER32 ref: 004054D8
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                              • String ID:
                                              • API String ID: 590372296-0
                                              • Opcode ID: 5fccc0b628b5d146bb46abdfcf0f3fd18cc91aed4c2004e16f4bf8579c4053ce
                                              • Instruction ID: 24acf85f457993e5d1a00f4a74fbc0a00d7f38a893508f9c9f1f5035b4e63235
                                              • Opcode Fuzzy Hash: 5fccc0b628b5d146bb46abdfcf0f3fd18cc91aed4c2004e16f4bf8579c4053ce
                                              • Instruction Fuzzy Hash: 5FA15BB1900208BFDB219FA0DD89AAE7F79FB08355F10407AFA04B61A0C7B55E51DF69
                                              Function 0040442A Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 274stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDlgItem.USER32(?,000003FB), ref: 00404479
                                              • SetWindowTextA.USER32(00000000,?), ref: 004044A3
                                              • SHBrowseForFolderA.SHELL32(?,0041F0D0,?), ref: 00404554
                                              • CoTaskMemFree.OLE32(00000000), ref: 0040455F
                                              • lstrcmpiA.KERNEL32(Call,0041FCF8), ref: 00404591
                                              • lstrcatA.KERNEL32(?,Call), ref: 0040459D
                                              • SetDlgItemTextA.USER32(?,000003FB,?), ref: 004045AF
                                                • Part of subcall function 0040552E: GetDlgItemTextA.USER32(?,?,00000400,004045E6), ref: 00405541
                                                • Part of subcall function 00405FA1: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Ppto.24265.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031EF,C:\Users\user\AppData\Local\Temp\,75573410,004033C9), ref: 00405FF9
                                                • Part of subcall function 00405FA1: CharNextA.USER32(?,?,?,00000000), ref: 00406006
                                                • Part of subcall function 00405FA1: CharNextA.USER32(?,"C:\Users\user\Desktop\Ppto.24265.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031EF,C:\Users\user\AppData\Local\Temp\,75573410,004033C9), ref: 0040600B
                                                • Part of subcall function 00405FA1: CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031EF,C:\Users\user\AppData\Local\Temp\,75573410,004033C9), ref: 0040601B
                                              • GetDiskFreeSpaceA.KERNEL32(0041ECC8,?,?,0000040F,?,0041ECC8,0041ECC8,?,00000000,0041ECC8,?,?,000003FB,?), ref: 0040466C
                                              • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404687
                                                • Part of subcall function 004047E0: lstrlenA.KERNEL32(0041FCF8,0041FCF8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004046FB,000000DF,00000000,00000400,?), ref: 0040487E
                                                • Part of subcall function 004047E0: wsprintfA.USER32 ref: 00404886
                                                • Part of subcall function 004047E0: SetDlgItemTextA.USER32(?,0041FCF8), ref: 00404899
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                              • String ID: 764$A$C:\Users\user\colombians\fanwort\cherie$Call
                                              • API String ID: 2624150263-2218765734
                                              • Opcode ID: f98f00a644f458d2e02a584555e30f134e65ef2c05e9b8026b1db21ee3dd4a2e
                                              • Instruction ID: 5a451af96f6c61f8b8aedc9e732e962e3b59a2a539d705b9404eba0a1a8e20eb
                                              • Opcode Fuzzy Hash: f98f00a644f458d2e02a584555e30f134e65ef2c05e9b8026b1db21ee3dd4a2e
                                              • Instruction Fuzzy Hash: A6A162B1900208ABDB11AFA6CD45AEFB7B9EF85314F10843BF611B72D1D77C89418B69
                                              Function 00402036 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132comCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CoCreateInstance.OLE32(00407384,?,?,00407374,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040208B
                                              • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,?,00407374,?,?), ref: 00402143
                                              Strings
                                              • C:\Users\user\colombians\fanwort\cherie\Hingstefl\Eneceller, xrefs: 004020CB
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID: ByteCharCreateInstanceMultiWide
                                              • String ID: C:\Users\user\colombians\fanwort\cherie\Hingstefl\Eneceller
                                              • API String ID: 123533781-2148869255
                                              • Opcode ID: 67eeef5bfe48d64c696600bc04f6a24e74d7f241817d7ead55992a07deef4c16
                                              • Instruction ID: 1053df79af30500630abfeafbcf843dcec04d0d4e3091bc204b5fde3a4f6985c
                                              • Opcode Fuzzy Hash: 67eeef5bfe48d64c696600bc04f6a24e74d7f241817d7ead55992a07deef4c16
                                              • Instruction Fuzzy Hash: 3B416D71A00209BFCB40EFA4CE88E9E7BB5BF48354B2042A9F911FB2D1D6799D41DB54
                                              Function 00402645 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 00402654
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID: FileFindFirst
                                              • String ID:
                                              • API String ID: 1974802433-0
                                              • Opcode ID: ccce1f70038ac7e86c24494b5107ef2433622a556594bc7a72e3d796f50df0b9
                                              • Instruction ID: 2b7524724565807a685c72c68d6b6eabb337ae57375c882a310f3ed35d4a28aa
                                              • Opcode Fuzzy Hash: ccce1f70038ac7e86c24494b5107ef2433622a556594bc7a72e3d796f50df0b9
                                              • Instruction Fuzzy Hash: D4F0EC72504110EBD700EBB4994DAEE77B8DF51314F60457BE141F21C1D3B84945E72E
                                              Function 00404135 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 205windowstringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CheckDlgButton.USER32(00000000,-0000040A,?), ref: 004041C0
                                              • GetDlgItem.USER32(00000000,000003E8), ref: 004041D4
                                              • SendMessageA.USER32(00000000,0000045B,?,00000000), ref: 004041F2
                                              • GetSysColor.USER32(?), ref: 00404203
                                              • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00404212
                                              • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00404221
                                              • lstrlenA.KERNEL32(?), ref: 00404224
                                              • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00404233
                                              • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404248
                                              • GetDlgItem.USER32(?,0000040A), ref: 004042AA
                                              • SendMessageA.USER32(00000000), ref: 004042AD
                                              • GetDlgItem.USER32(?,000003E8), ref: 004042D8
                                              • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404318
                                              • LoadCursorA.USER32(00000000,00007F02), ref: 00404327
                                              • SetCursor.USER32(00000000), ref: 00404330
                                              • ShellExecuteA.SHELL32(0000070B,open,004226A0,00000000,00000000,?), ref: 00404343
                                              • LoadCursorA.USER32(00000000,00007F00), ref: 00404350
                                              • SetCursor.USER32(00000000), ref: 00404353
                                              • SendMessageA.USER32(00000111,?,00000000), ref: 0040437F
                                              • SendMessageA.USER32(00000010,00000000,00000000), ref: 00404393
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                              • String ID: Call$N$open
                                              • API String ID: 3615053054-2563687911
                                              • Opcode ID: aa854a75b9a8ef41e2656ff54a1ab69c816baf86c41e2f577b142ace3155aca6
                                              • Instruction ID: 47d1c741c4840d0b501b4796cf3fe0e3440e9ec9cd7b0debe1a5eac4f9bfffd7
                                              • Opcode Fuzzy Hash: aa854a75b9a8ef41e2656ff54a1ab69c816baf86c41e2f577b142ace3155aca6
                                              • Instruction Fuzzy Hash: 8F61A0B1A40309BFEB109F61DD45F6A7B69FB84704F108026FB04BB2D1C7B8A951CB99
                                              Function 00405A6E Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 136stringmemoryfileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • lstrcpyA.KERNEL32(00421A88,NUL,?,00000000,?,00000000,?,00405C12,?,?,?,004057B5,?,00000000,000000F1,?), ref: 00405A7E
                                              • CloseHandle.KERNEL32(00000000,00000000,00000000,?,?,00000000,?,00405C12,?,?,?,004057B5,?,00000000,000000F1,?), ref: 00405AA2
                                              • GetShortPathNameA.KERNEL32(00000000,00421A88,00000400), ref: 00405AAB
                                                • Part of subcall function 0040592C: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405B5B,00000000,[Rename],00000000,00000000,00000000), ref: 0040593C
                                                • Part of subcall function 0040592C: lstrlenA.KERNEL32(00405B5B,?,00000000,00405B5B,00000000,[Rename],00000000,00000000,00000000), ref: 0040596E
                                              • GetShortPathNameA.KERNEL32(?,00421E88,00000400), ref: 00405AC8
                                              • wsprintfA.USER32 ref: 00405AE6
                                              • GetFileSize.KERNEL32(00000000,00000000,00421E88,C0000000,00000004,00421E88,?,?,?,?,?), ref: 00405B21
                                              • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00405B30
                                              • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 00405B68
                                              • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,00000000,00421688,00000000,-0000000A,004093A0,00000000,[Rename],00000000,00000000,00000000), ref: 00405BBE
                                              • WriteFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00405BD0
                                              • GlobalFree.KERNEL32(00000000), ref: 00405BD7
                                              • CloseHandle.KERNEL32(00000000), ref: 00405BDE
                                                • Part of subcall function 004059C7: GetFileAttributesA.KERNELBASE(00000003,00402CBC,C:\Users\user\Desktop\Ppto.24265.exe,80000000,00000003), ref: 004059CB
                                                • Part of subcall function 004059C7: CreateFileA.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 004059ED
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizeWritewsprintf
                                              • String ID: %s=%s$NUL$[Rename]
                                              • API String ID: 1265525490-4148678300
                                              • Opcode ID: 10d4b8fe51d6b6f2625f365b8b26cf256cf2f07af5c2bd562b8105816d8408bc
                                              • Instruction ID: 2d1e09aab0418ff75005a817fdb93eb8b9645243d234663ae25a64343302d3c0
                                              • Opcode Fuzzy Hash: 10d4b8fe51d6b6f2625f365b8b26cf256cf2f07af5c2bd562b8105816d8408bc
                                              • Instruction Fuzzy Hash: BE41DEB1604A15BFD6206B219C49F6B3A6CDF45718F14053BBE01FA2D2EA7CB8018E7D
                                              Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                              Download Yara Rule
                                              APIs
                                              • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                              • BeginPaint.USER32(?,?), ref: 00401047
                                              • GetClientRect.USER32(?,?), ref: 0040105B
                                              • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                              • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                              • DeleteObject.GDI32(?), ref: 004010ED
                                              • CreateFontIndirectA.GDI32(?), ref: 00401105
                                              • SetBkMode.GDI32(00000000,?), ref: 00401126
                                              • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                              • SelectObject.GDI32(00000000,?), ref: 00401140
                                              • DrawTextA.USER32(00000000,00422F00,000000FF,00000010,00000820), ref: 00401156
                                              • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                              • DeleteObject.GDI32(?), ref: 00401165
                                              • EndPaint.USER32(?,?), ref: 0040116E
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                              • String ID: F
                                              • API String ID: 941294808-1304234792
                                              • Opcode ID: c2d680870d7abd1e1a74e136b5aebc8f23ebe5596e06de1d1944de18111d68fb
                                              • Instruction ID: ce5436bc7dfccdabf5b2378cdbc04c65b8fc1f8d51739f20964cb8902a5fcb59
                                              • Opcode Fuzzy Hash: c2d680870d7abd1e1a74e136b5aebc8f23ebe5596e06de1d1944de18111d68fb
                                              • Instruction Fuzzy Hash: F2419A72804249AFCF058F94CD459AFBFB9FF44310F00812AF961AA1A0C738EA50DFA5
                                              Function 00405FA1 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                              Download Yara Rule
                                              APIs
                                              • CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Ppto.24265.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031EF,C:\Users\user\AppData\Local\Temp\,75573410,004033C9), ref: 00405FF9
                                              • CharNextA.USER32(?,?,?,00000000), ref: 00406006
                                              • CharNextA.USER32(?,"C:\Users\user\Desktop\Ppto.24265.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031EF,C:\Users\user\AppData\Local\Temp\,75573410,004033C9), ref: 0040600B
                                              • CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031EF,C:\Users\user\AppData\Local\Temp\,75573410,004033C9), ref: 0040601B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID: Char$Next$Prev
                                              • String ID: "C:\Users\user\Desktop\Ppto.24265.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                              • API String ID: 589700163-2023061385
                                              • Opcode ID: cac177dc58e6cdce4745106bcf32f060ca56d97be21c35c0cc42ba282efa81fa
                                              • Instruction ID: 96a923a8ee4f60b6f191beee89bac6a1f57d38d5d4ddb578b75945660f6dc773
                                              • Opcode Fuzzy Hash: cac177dc58e6cdce4745106bcf32f060ca56d97be21c35c0cc42ba282efa81fa
                                              • Instruction Fuzzy Hash: 57110451908B9229FB325A284C40B777F99CF5A760F18047FE5C1722C2C67C5C529B6E
                                              Function 00404053 Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetWindowLongA.USER32(?,000000EB), ref: 00404070
                                              • GetSysColor.USER32(00000000), ref: 0040408C
                                              • SetTextColor.GDI32(?,00000000), ref: 00404098
                                              • SetBkMode.GDI32(?,?), ref: 004040A4
                                              • GetSysColor.USER32(?), ref: 004040B7
                                              • SetBkColor.GDI32(?,?), ref: 004040C7
                                              • DeleteObject.GDI32(?), ref: 004040E1
                                              • CreateBrushIndirect.GDI32(?), ref: 004040EB
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                              • String ID:
                                              • API String ID: 2320649405-0
                                              • Opcode ID: 059a6408e4ff7a7a286042baf0ba0b6777dcdd2840b1e709c5bb58eb991f2f1d
                                              • Instruction ID: 47825c477eeffae7bcc1b4b45db8633c52535f80fcd06c8b97140eed864a5805
                                              • Opcode Fuzzy Hash: 059a6408e4ff7a7a286042baf0ba0b6777dcdd2840b1e709c5bb58eb991f2f1d
                                              • Instruction Fuzzy Hash: 0621A4B18047049BCB309F68DD08B4BBBF8AF40714F048639EA95F26E1C738E944CB65
                                              Function 100021FA Relevance: 10.6, APIs: 7, Instructions: 139memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GlobalFree.KERNEL32(00000000), ref: 1000234A
                                                • Part of subcall function 10001224: lstrcpynA.KERNEL32(00000000,?,100012CF,-1000404B,100011AB,-000000A0), ref: 10001234
                                              • GlobalAlloc.KERNEL32(00000040,?), ref: 100022C3
                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 100022D8
                                              • GlobalAlloc.KERNEL32(00000040,00000010), ref: 100022E7
                                              • CLSIDFromString.OLE32(00000000,00000000), ref: 100022F4
                                              • GlobalFree.KERNEL32(00000000), ref: 100022FB
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2421076785.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                              • Associated: 00000000.00000002.2421054832.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                              • Associated: 00000000.00000002.2421092882.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                              • Associated: 00000000.00000002.2421108342.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_10000000_Ppto.jbxd
                                              Similarity
                                              • API ID: Global$AllocFree$ByteCharFromMultiStringWidelstrcpyn
                                              • String ID:
                                              • API String ID: 3730416702-0
                                              • Opcode ID: 5812f53bea9c9c9f79666072e50bc0f3831b96dbb387c6cf78516ccbd9521935
                                              • Instruction ID: fe65b043c70383bd2b49c92c90746d4950a0c6047a38c1932a2dc3020861886a
                                              • Opcode Fuzzy Hash: 5812f53bea9c9c9f79666072e50bc0f3831b96dbb387c6cf78516ccbd9521935
                                              • Instruction Fuzzy Hash: F6418BB1108711EFF720DFA48884B5BB7F8FF443D1F218929F946D61A9DB34AA448B61
                                              Function 100023DA Relevance: 10.6, APIs: 7, Instructions: 111COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 10001215: GlobalAlloc.KERNEL32(00000040,10001233,?,100012CF,-1000404B,100011AB,-000000A0), ref: 1000121D
                                              • GlobalFree.KERNEL32(?), ref: 100024B9
                                              • GlobalFree.KERNEL32(00000000), ref: 100024F3
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2421076785.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                              • Associated: 00000000.00000002.2421054832.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                              • Associated: 00000000.00000002.2421092882.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                              • Associated: 00000000.00000002.2421108342.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_10000000_Ppto.jbxd
                                              Similarity
                                              • API ID: Global$Free$Alloc
                                              • String ID:
                                              • API String ID: 1780285237-0
                                              • Opcode ID: 28705be4039c1f606362c20ff13fdce37c258c5b4734a68cc6567389004174f8
                                              • Instruction ID: 82133e1bc6da927614d5bcfc3b496831b4cb396c3e6da136b8b2dca3161aa200
                                              • Opcode Fuzzy Hash: 28705be4039c1f606362c20ff13fdce37c258c5b4734a68cc6567389004174f8
                                              • Instruction Fuzzy Hash: 75319CB1504251EFF722CF94CCC4C6B7BBDEB852D4B128569FA4193228DB31AC54DB62
                                              Function 00402683 Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 004026D7
                                              • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,000000F0), ref: 004026F3
                                              • GlobalFree.KERNEL32(?), ref: 0040272C
                                              • WriteFile.KERNEL32(FFFFFD66,00000000,?,FFFFFD66,?,?,?,?,000000F0), ref: 0040273E
                                              • GlobalFree.KERNEL32(00000000), ref: 00402745
                                              • CloseHandle.KERNEL32(FFFFFD66,?,?,000000F0), ref: 0040275D
                                              • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 00402771
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                                              • String ID:
                                              • API String ID: 3294113728-0
                                              • Opcode ID: 0f129fd7f7df80537c5f9e1eb6f54556ad660c5267986f7df7bd7c5007d73d3e
                                              • Instruction ID: 552098977e22cffcc29eaacdabede243c0f20e1b5d71923adfcfca28e3e686eb
                                              • Opcode Fuzzy Hash: 0f129fd7f7df80537c5f9e1eb6f54556ad660c5267986f7df7bd7c5007d73d3e
                                              • Instruction Fuzzy Hash: 63318DB1C00118BFCF216FA5CD89DAE7E79EF09364F10423AF520762E1C6795D419BA9
                                              Function 0040501F Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • lstrlenA.KERNEL32(0041F4D8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000,?), ref: 00405058
                                              • lstrlenA.KERNEL32(00402C51,0041F4D8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000), ref: 00405068
                                              • lstrcatA.KERNEL32(0041F4D8,00402C51,00402C51,0041F4D8,00000000,00000000,00000000), ref: 0040507B
                                              • SetWindowTextA.USER32(0041F4D8,0041F4D8), ref: 0040508D
                                              • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004050B3
                                              • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004050CD
                                              • SendMessageA.USER32(?,00001013,?,00000000), ref: 004050DB
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                              • String ID:
                                              • API String ID: 2531174081-0
                                              • Opcode ID: fe51e3db3acd615496ccbf9ac5cad90a085764a87c5addfa2b073bf2a2aea827
                                              • Instruction ID: 2b33129011dff48d1edd85efe61027b37dbb0349f6b457de8e93b882053e083c
                                              • Opcode Fuzzy Hash: fe51e3db3acd615496ccbf9ac5cad90a085764a87c5addfa2b073bf2a2aea827
                                              • Instruction Fuzzy Hash: C2219071900508BBDB119FA5CD84ADFBFB9EF14354F14807AF544B6290C2794E45DFA8
                                              Function 00402BDA Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                              Download Yara Rule
                                              APIs
                                              • DestroyWindow.USER32(00000000,00000000), ref: 00402BF2
                                              • GetTickCount.KERNEL32 ref: 00402C10
                                              • wsprintfA.USER32 ref: 00402C3E
                                                • Part of subcall function 0040501F: lstrlenA.KERNEL32(0041F4D8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000,?), ref: 00405058
                                                • Part of subcall function 0040501F: lstrlenA.KERNEL32(00402C51,0041F4D8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000), ref: 00405068
                                                • Part of subcall function 0040501F: lstrcatA.KERNEL32(0041F4D8,00402C51,00402C51,0041F4D8,00000000,00000000,00000000), ref: 0040507B
                                                • Part of subcall function 0040501F: SetWindowTextA.USER32(0041F4D8,0041F4D8), ref: 0040508D
                                                • Part of subcall function 0040501F: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004050B3
                                                • Part of subcall function 0040501F: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004050CD
                                                • Part of subcall function 0040501F: SendMessageA.USER32(?,00001013,?,00000000), ref: 004050DB
                                              • CreateDialogParamA.USER32(0000006F,00000000,00402B42,00000000), ref: 00402C62
                                              • ShowWindow.USER32(00000000,00000005), ref: 00402C70
                                                • Part of subcall function 00402BBE: MulDiv.KERNEL32(00000000,00000064,00000FB6), ref: 00402BD3
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
                                              • String ID: ... %d%%
                                              • API String ID: 722711167-2449383134
                                              • Opcode ID: 71ceea4fecd240b715e1583c6742d443c774c4b1fc767c2b6efff362cb3abd53
                                              • Instruction ID: 53b2eec8c243fd5a5b591a6d8e7090b5e500d3da6e0592f5c5af2241ed808ea0
                                              • Opcode Fuzzy Hash: 71ceea4fecd240b715e1583c6742d443c774c4b1fc767c2b6efff362cb3abd53
                                              • Instruction Fuzzy Hash: AB0188B0949614ABDB216F64AE4DE9F7B7CFB017057148037FA01B11E1C6B8D541CBAE
                                              Function 004048EA Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404905
                                              • GetMessagePos.USER32 ref: 0040490D
                                              • ScreenToClient.USER32(?,?), ref: 00404927
                                              • SendMessageA.USER32(?,00001111,00000000,?), ref: 00404939
                                              • SendMessageA.USER32(?,0000110C,00000000,?), ref: 0040495F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID: Message$Send$ClientScreen
                                              • String ID: f
                                              • API String ID: 41195575-1993550816
                                              • Opcode ID: 0143edfa65d7345696b674457d3757b6620fab040ae94d4e1f917914a8284de5
                                              • Instruction ID: 7baaa9b85802c8a5173365c44ed2834cc31749f5d024e9fb4d2ec5e64c2f69ce
                                              • Opcode Fuzzy Hash: 0143edfa65d7345696b674457d3757b6620fab040ae94d4e1f917914a8284de5
                                              • Instruction Fuzzy Hash: E40140B1D00218BADB01DBA4DC85FFFBBBCAB95721F10412BBA10B61D0C7B469018BA5
                                              Function 00402B42 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SetTimer.USER32(?,?,000000FA,00000000), ref: 00402B5D
                                              • wsprintfA.USER32 ref: 00402B91
                                              • SetWindowTextA.USER32(?,?), ref: 00402BA1
                                              • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BB3
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID: Text$ItemTimerWindowwsprintf
                                              • String ID: unpacking data: %d%%$verifying installer: %d%%
                                              • API String ID: 1451636040-1158693248
                                              • Opcode ID: bccffcf18056edd42c20cb723d80919439a72dcdb3cc8cc3de12e394d3f134cc
                                              • Instruction ID: 4b4d840d1cf11f9656568dd8641bec75cd76f4f3bd4f461a87d93eb2d0bf3f96
                                              • Opcode Fuzzy Hash: bccffcf18056edd42c20cb723d80919439a72dcdb3cc8cc3de12e394d3f134cc
                                              • Instruction Fuzzy Hash: F7F01D70900208BBEF215F61DD4ABEE3779EB00345F00803AFA06B51D0D7F8AA558B9A
                                              Function 1000180D Relevance: 7.7, APIs: 5, Instructions: 189COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2421076785.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                              • Associated: 00000000.00000002.2421054832.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                              • Associated: 00000000.00000002.2421092882.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                              • Associated: 00000000.00000002.2421108342.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_10000000_Ppto.jbxd
                                              Similarity
                                              • API ID: FreeGlobal
                                              • String ID:
                                              • API String ID: 2979337801-0
                                              • Opcode ID: 0c473814e0966ac58776859a9061c1e440c53011a0554eaa903a9fb75293bb16
                                              • Instruction ID: 97b6efd1b10b48d7ee9b7c7fbc92de58723c24235f199e6d6d25645bb0e8c5d4
                                              • Opcode Fuzzy Hash: 0c473814e0966ac58776859a9061c1e440c53011a0554eaa903a9fb75293bb16
                                              • Instruction Fuzzy Hash: DC512532D04159AEFB55DFB488A4AEEBBF6EF453C0F12416AE841B315DCA306E4087D2
                                              Function 00402A3D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00402A5E
                                              • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402A9A
                                              • RegCloseKey.ADVAPI32(?), ref: 00402AA3
                                              • RegCloseKey.ADVAPI32(?), ref: 00402AC8
                                              • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402AE6
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID: Close$DeleteEnumOpen
                                              • String ID:
                                              • API String ID: 1912718029-0
                                              • Opcode ID: 5733a3c7ed8837a4e33d89bc0436a18c4a21248f1d51b77dead4e3ad8d80db37
                                              • Instruction ID: 1cfc72d501241f28ff1c9237e437913a5e8660848d06dce24e2e83bd327c9a1b
                                              • Opcode Fuzzy Hash: 5733a3c7ed8837a4e33d89bc0436a18c4a21248f1d51b77dead4e3ad8d80db37
                                              • Instruction Fuzzy Hash: EA114F71A00108FFDF219F90DE48EAA3B7DEB44349B104076FA05B11A0DBB49E559F69
                                              Function 00401CCC Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDlgItem.USER32(?), ref: 00401CD0
                                              • GetClientRect.USER32(00000000,?), ref: 00401CDD
                                              • LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401CFE
                                              • SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D0C
                                              • DeleteObject.GDI32(00000000), ref: 00401D1B
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                              • String ID:
                                              • API String ID: 1849352358-0
                                              • Opcode ID: 8c1d5d282e63fa750a7411733debfdae667bc57b8f94cb70390eb4c580c11dbe
                                              • Instruction ID: 68903ef9478fc0d920f95a79cd5396482650d24808bb52901199de5d2149753e
                                              • Opcode Fuzzy Hash: 8c1d5d282e63fa750a7411733debfdae667bc57b8f94cb70390eb4c580c11dbe
                                              • Instruction Fuzzy Hash: 06F062B2A05114BFD701DBA4EE88CAF77BCEB44301B008576F501F2091C7389D019B79
                                              Function 00401D26 Relevance: 7.5, APIs: 5, Instructions: 38COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDC.USER32(?), ref: 00401D29
                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D36
                                              • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D45
                                              • ReleaseDC.USER32(?,00000000), ref: 00401D56
                                              • CreateFontIndirectA.GDI32(0040A7D0), ref: 00401DA1
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID: CapsCreateDeviceFontIndirectRelease
                                              • String ID:
                                              • API String ID: 3808545654-0
                                              • Opcode ID: 7af4cf4b66e980d364c2e3aa9c64882f60449cc7f52f10eab55021efc1d5f786
                                              • Instruction ID: b452d76144ce78c1ea2c31cbd89393ff29a213aa8dcca448cc35c7c7cb6754f7
                                              • Opcode Fuzzy Hash: 7af4cf4b66e980d364c2e3aa9c64882f60449cc7f52f10eab55021efc1d5f786
                                              • Instruction Fuzzy Hash: F8011271948340AFE701DBB0AE0EB9A7F74EB19705F108535F141B72E2C6B954159B2F
                                              Function 004047E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • lstrlenA.KERNEL32(0041FCF8,0041FCF8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004046FB,000000DF,00000000,00000400,?), ref: 0040487E
                                              • wsprintfA.USER32 ref: 00404886
                                              • SetDlgItemTextA.USER32(?,0041FCF8), ref: 00404899
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID: ItemTextlstrlenwsprintf
                                              • String ID: %u.%u%s%s
                                              • API String ID: 3540041739-3551169577
                                              • Opcode ID: 878f77dbdcb51275c09da16e61d4023f379ce68319930481f66ff31823ee0149
                                              • Instruction ID: 8631c14a921e8479d2aaee063571767324bc63c1cfe9171b6f21c1c007081b9c
                                              • Opcode Fuzzy Hash: 878f77dbdcb51275c09da16e61d4023f379ce68319930481f66ff31823ee0149
                                              • Instruction Fuzzy Hash: 90112433A441283BDB0065AD9C49EAF328CDF81334F244637FA25F61D1E9788C1292E8
                                              Function 00401BB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C18
                                              • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C30
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID: MessageSend$Timeout
                                              • String ID: !
                                              • API String ID: 1777923405-2657877971
                                              • Opcode ID: 223d8f7865d2b1dd0e95bc8f55079009c40be9e2a37a1be7db68750e4265ac19
                                              • Instruction ID: c8505a4ed1fbcfe48898eca751f608fe424cacc25c72cee6cab93c7adb8e4515
                                              • Opcode Fuzzy Hash: 223d8f7865d2b1dd0e95bc8f55079009c40be9e2a37a1be7db68750e4265ac19
                                              • Instruction Fuzzy Hash: 742190B1A44208BFEF41AFB4CD4AAAE7BB5EF40344F14453EF541B61D1D6B89A40E728
                                              Function 004036F2 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19COMMON
                                              Download Yara Rule
                                              APIs
                                              • FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,75572EE0,004036C9,75573410,004034D6,?), ref: 0040370C
                                              • GlobalFree.KERNEL32(00634938), ref: 00403713
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID: Free$GlobalLibrary
                                              • String ID: 8Ic$C:\Users\user\AppData\Local\Temp\
                                              • API String ID: 1100898210-1525370774
                                              • Opcode ID: 86ea4e8f2e330b4051334ac2fa91e3adcb647da4565bec0431381526e270e322
                                              • Instruction ID: 0fe4964e98027e88380181352afc78dea88c0f551701ba437740c6db36bc47f5
                                              • Opcode Fuzzy Hash: 86ea4e8f2e330b4051334ac2fa91e3adcb647da4565bec0431381526e270e322
                                              • Instruction Fuzzy Hash: 0EE0EC7390512097C6215F96AD04B5ABB686B89B62F06842AED407B3A18B746C418BD9
                                              Function 004057C6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403201,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75573410,004033C9), ref: 004057CC
                                              • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403201,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75573410,004033C9), ref: 004057D5
                                              • lstrcatA.KERNEL32(?,00409014), ref: 004057E6
                                              Strings
                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 004057C6
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID: CharPrevlstrcatlstrlen
                                              • String ID: C:\Users\user\AppData\Local\Temp\
                                              • API String ID: 2659869361-4083868402
                                              • Opcode ID: 890135f98a5a9138db31eb4b1572133a55ea61a04d2c03425938916b0e2dddc9
                                              • Instruction ID: c144259923a6e848a034fe90771ae4f3275bad2fdba58d127270a3e6eafdfb33
                                              • Opcode Fuzzy Hash: 890135f98a5a9138db31eb4b1572133a55ea61a04d2c03425938916b0e2dddc9
                                              • Instruction Fuzzy Hash: 00D0A962606A306BD20222168C09E8F6A08CF06300B044033F204B62B2C63C0D418FFE
                                              Function 00401EDC Relevance: 6.1, APIs: 4, Instructions: 54memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401EEB
                                              • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401F09
                                              • GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F22
                                              • VerQueryValueA.VERSION(?,00409014,?,?,?,?,?,00000000), ref: 00401F3B
                                                • Part of subcall function 00405C94: wsprintfA.USER32 ref: 00405CA1
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
                                              • String ID:
                                              • API String ID: 1404258612-0
                                              • Opcode ID: ec7151e13ff031cd6146c14c1100c40685b360c9b493fb258c96d19e35a9089b
                                              • Instruction ID: 9791f4c70c1528f8983e13c97e2cb0ced061aec02aec85b9ff59acd402aedfa8
                                              • Opcode Fuzzy Hash: ec7151e13ff031cd6146c14c1100c40685b360c9b493fb258c96d19e35a9089b
                                              • Instruction Fuzzy Hash: A0117071901209BEDF01EFA5DD85DAEBBB9EF04344B20807AF505F61A1D7388E55DB28
                                              Function 0040585F Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                              Download Yara Rule
                                              APIs
                                              • CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsv5087.tmp,?,004058CB,C:\Users\user\AppData\Local\Temp\nsv5087.tmp,C:\Users\user\AppData\Local\Temp\nsv5087.tmp,?,?,75572EE0,00405616,?,C:\Users\user\AppData\Local\Temp\,75572EE0,00000000), ref: 0040586D
                                              • CharNextA.USER32(00000000), ref: 00405872
                                              • CharNextA.USER32(00000000), ref: 00405886
                                              Strings
                                              • C:\Users\user\AppData\Local\Temp\nsv5087.tmp, xrefs: 00405860
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID: CharNext
                                              • String ID: C:\Users\user\AppData\Local\Temp\nsv5087.tmp
                                              • API String ID: 3213498283-2698442286
                                              • Opcode ID: 2ea991d7d7ffd85479a521eab3fc1e567f9f9a9fdda000af801139d1d19966a1
                                              • Instruction ID: 725a23b4e930c3b6c27a7d0cd0e333612dd42f6c53d199a680129a9385ae8045
                                              • Opcode Fuzzy Hash: 2ea991d7d7ffd85479a521eab3fc1e567f9f9a9fdda000af801139d1d19966a1
                                              • Instruction Fuzzy Hash: 74F06253914F516AFB3276645C44B7B5A8CCF56361F188477EE40A62C2C2BC4C618F9A
                                              Function 00403A4C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetWindowTextA.USER32(00000000,00422F00), ref: 00403AE4
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID: TextWindow
                                              • String ID: "C:\Users\user\Desktop\Ppto.24265.exe"$1033
                                              • API String ID: 530164218-3284715837
                                              • Opcode ID: c20953c35db1116ecdf277b9f7b3923fed37fef6e8e5c3a171d6f7dc7f85f207
                                              • Instruction ID: 694a286dd4981efc18ef326c294584d4bec2a1602357d8abc11fec8a6f834ca0
                                              • Opcode Fuzzy Hash: c20953c35db1116ecdf277b9f7b3923fed37fef6e8e5c3a171d6f7dc7f85f207
                                              • Instruction Fuzzy Hash: EC11D4B1B046109BCB24DF15DC809337BBDEB8471A329813BE941A73A1C73D9E029A98
                                              Function 004058B4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00405D36: lstrcpynA.KERNEL32(?,?,00000400,00403287,00422F00,NSIS Error), ref: 00405D43
                                                • Part of subcall function 0040585F: CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsv5087.tmp,?,004058CB,C:\Users\user\AppData\Local\Temp\nsv5087.tmp,C:\Users\user\AppData\Local\Temp\nsv5087.tmp,?,?,75572EE0,00405616,?,C:\Users\user\AppData\Local\Temp\,75572EE0,00000000), ref: 0040586D
                                                • Part of subcall function 0040585F: CharNextA.USER32(00000000), ref: 00405872
                                                • Part of subcall function 0040585F: CharNextA.USER32(00000000), ref: 00405886
                                              • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsv5087.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsv5087.tmp,C:\Users\user\AppData\Local\Temp\nsv5087.tmp,?,?,75572EE0,00405616,?,C:\Users\user\AppData\Local\Temp\,75572EE0,00000000), ref: 00405907
                                              • GetFileAttributesA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsv5087.tmp,C:\Users\user\AppData\Local\Temp\nsv5087.tmp,C:\Users\user\AppData\Local\Temp\nsv5087.tmp,C:\Users\user\AppData\Local\Temp\nsv5087.tmp,C:\Users\user\AppData\Local\Temp\nsv5087.tmp,C:\Users\user\AppData\Local\Temp\nsv5087.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsv5087.tmp,C:\Users\user\AppData\Local\Temp\nsv5087.tmp,?,?,75572EE0,00405616,?,C:\Users\user\AppData\Local\Temp\,75572EE0), ref: 00405917
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                              • String ID: C:\Users\user\AppData\Local\Temp\nsv5087.tmp
                                              • API String ID: 3248276644-2698442286
                                              • Opcode ID: 681a1499075d1ef18d3e94b36260b5cb5e6403957cf75bde6daaeed28ee23a5f
                                              • Instruction ID: cee4b60d78671bb78a10d3fddc0396ac835ea714c96625339261d657e7680c9f
                                              • Opcode Fuzzy Hash: 681a1499075d1ef18d3e94b36260b5cb5e6403957cf75bde6daaeed28ee23a5f
                                              • Instruction Fuzzy Hash: 0AF02823105D6026C63233391C09AAF1B95CE86368B24853FFC51B22D1DB3C8863DE7E
                                              Function 004024D1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34filestringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • lstrlenA.KERNEL32(00000000,00000011), ref: 004024EF
                                              • WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\nsv5087.tmp\System.dll,00000000,?,?,00000000,00000011), ref: 0040250E
                                              Strings
                                              • C:\Users\user\AppData\Local\Temp\nsv5087.tmp\System.dll, xrefs: 004024DD, 00402502
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID: FileWritelstrlen
                                              • String ID: C:\Users\user\AppData\Local\Temp\nsv5087.tmp\System.dll
                                              • API String ID: 427699356-2465516685
                                              • Opcode ID: c26acdc685a8462abcf9d22027095d01786db15fbce5111d7f188410cb5afd7d
                                              • Instruction ID: 4826b5ec7f58a8945af1d05ae4e09a11cd1e532a13e769836b40841c5f4177c7
                                              • Opcode Fuzzy Hash: c26acdc685a8462abcf9d22027095d01786db15fbce5111d7f188410cb5afd7d
                                              • Instruction Fuzzy Hash: 80F054B2A54244BFDB40ABA19E499EB66A4DB40309F10443FB141F61C2D5BC4941A66A
                                              Function 004054E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00421500,Error launching installer), ref: 0040550E
                                              • CloseHandle.KERNEL32(?), ref: 0040551B
                                              Strings
                                              • Error launching installer, xrefs: 004054F8
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID: CloseCreateHandleProcess
                                              • String ID: Error launching installer
                                              • API String ID: 3712363035-66219284
                                              • Opcode ID: a807c8c1498f9a3ccd34e9273e49e04dcb617f56f5cccdb726230c0895ca6d7f
                                              • Instruction ID: 0ae392a05d3974bec86de51aa2f8a5c28ff0ee3cdd976454f3eed0d5dd72dd2a
                                              • Opcode Fuzzy Hash: a807c8c1498f9a3ccd34e9273e49e04dcb617f56f5cccdb726230c0895ca6d7f
                                              • Instruction Fuzzy Hash: 2BE0BFB4A00209BFEB109FA4ED05F7B76ADEB14745F508561BD11F2160E774A9108A79
                                              Function 0040580D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402CE5,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Ppto.24265.exe,C:\Users\user\Desktop\Ppto.24265.exe,80000000,00000003), ref: 00405813
                                              • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402CE5,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Ppto.24265.exe,C:\Users\user\Desktop\Ppto.24265.exe,80000000,00000003), ref: 00405821
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID: CharPrevlstrlen
                                              • String ID: C:\Users\user\Desktop
                                              • API String ID: 2709904686-1876063424
                                              • Opcode ID: c27a981e79bb352b20b7a8c74a9367836393bd04b8b6ccbc39cacac652a51138
                                              • Instruction ID: ba052d51ab232c33a65bcd29671eceb75c11827358d6bb1c4ef4a0a5cf44e1aa
                                              • Opcode Fuzzy Hash: c27a981e79bb352b20b7a8c74a9367836393bd04b8b6ccbc39cacac652a51138
                                              • Instruction Fuzzy Hash: 94D0A77341AD701EE30372109C04B8F6A48CF16300F098462E440B61A0C2780C414BED
                                              Function 100010E0 Relevance: 5.1, APIs: 4, Instructions: 102memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GlobalAlloc.KERNEL32(00000040,?), ref: 1000115B
                                              • GlobalFree.KERNEL32(00000000), ref: 100011B4
                                              • GlobalFree.KERNEL32(?), ref: 100011C7
                                              • GlobalFree.KERNEL32(?), ref: 100011F5
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2421076785.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                              • Associated: 00000000.00000002.2421054832.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                              • Associated: 00000000.00000002.2421092882.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                              • Associated: 00000000.00000002.2421108342.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_10000000_Ppto.jbxd
                                              Similarity
                                              • API ID: Global$Free$Alloc
                                              • String ID:
                                              • API String ID: 1780285237-0
                                              • Opcode ID: 6ef9e3687ab983c99c874163fdcc0ee6cc2800f994ca68b8431a209e6fec97f5
                                              • Instruction ID: 5d3a3765e571093bf703368c32e31ec5bfeafbef09712c331e02e9e13643e521
                                              • Opcode Fuzzy Hash: 6ef9e3687ab983c99c874163fdcc0ee6cc2800f994ca68b8431a209e6fec97f5
                                              • Instruction Fuzzy Hash: 6531ABB1808255AFF715CFA8DC89AEA7FE8EB052C1B164115FA45D726CDB34D910CB24
                                              Function 0040592C Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405B5B,00000000,[Rename],00000000,00000000,00000000), ref: 0040593C
                                              • lstrcmpiA.KERNEL32(00405B5B,00000000), ref: 00405954
                                              • CharNextA.USER32(00405B5B,?,00000000,00405B5B,00000000,[Rename],00000000,00000000,00000000), ref: 00405965
                                              • lstrlenA.KERNEL32(00405B5B,?,00000000,00405B5B,00000000,[Rename],00000000,00000000,00000000), ref: 0040596E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2404045311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2404030666.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404060230.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404074047.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2404164831.0000000000439000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ppto.jbxd
                                              Similarity
                                              • API ID: lstrlen$CharNextlstrcmpi
                                              • String ID:
                                              • API String ID: 190613189-0
                                              • Opcode ID: 0add82ed76356020c4ee8264c56a6ad6875436601f5ed096891bbb40787d2247
                                              • Instruction ID: 6acf3bc3cda9f3bfd2525b0ac34aa546eab038af588102683640af0afc927a81
                                              • Opcode Fuzzy Hash: 0add82ed76356020c4ee8264c56a6ad6875436601f5ed096891bbb40787d2247
                                              • Instruction Fuzzy Hash: 27F0C232604518FFC7129BA4DD40D9FBBA8EF06360B2500AAE800F7250D274EE019FAA

                                              Execution Graph

                                              Execution Coverage:0%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:100%
                                              Total number of Nodes:1
                                              Total number of Limit Nodes:0
                                              execution_graph 68113 36092df0 LdrInitializeThunk

                                              Executed Functions

                                              Function 360935C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1 360935c0-360935cc LdrInitializeThunk
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: c26b777ea503e65a6760c9b70759a8b7ad262ff97e84cd23c92538b2ff320fc0
                                              • Instruction ID: 9389e64c6f199e8e2ed80b66b475ac77105a83a0d7e023210df33a0c73378225
                                              • Opcode Fuzzy Hash: c26b777ea503e65a6760c9b70759a8b7ad262ff97e84cd23c92538b2ff320fc0
                                              • Instruction Fuzzy Hash: 76900271B0560402E10071D88555706140647E0241F65C452A142452CD87958A5565A2
                                              Function 36092DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 0 36092df0-36092dfc LdrInitializeThunk
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: e56c25838536930cac6cdc17b8a5c80097e2352456b659513971a765d6ea7525
                                              • Instruction ID: 94cc9ffb2aa0ccecac5e42cc224b6858611832e7df93052ae9ffe8f85a56d9c6
                                              • Opcode Fuzzy Hash: e56c25838536930cac6cdc17b8a5c80097e2352456b659513971a765d6ea7525
                                              • Instruction Fuzzy Hash: AE90027170150413E11171D88545707040A47E0281F95C453A142451CD96568A56A121

                                              Non-executed Functions

                                              Function 360D2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                              • API String ID: 0-2160512332
                                              • Opcode ID: 25b416b37786fd7aa179308507dc38fa050bd3f1e0ec654a8253ad287b1be730
                                              • Instruction ID: be27ec4b5ab078404bed50abebefff4951e80cead0544b6a65410af6388476f6
                                              • Opcode Fuzzy Hash: 25b416b37786fd7aa179308507dc38fa050bd3f1e0ec654a8253ad287b1be730
                                              • Instruction Fuzzy Hash: 6892BC75A08341AFE321CE21C982B5BBBE8FF84754F504AADFA94D7250D770D844CB9A
                                              Function 360F94E0 Relevance: 19.8, APIs: 8, Strings: 3, Instructions: 558timeCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 553 360f94e0-360f9529 554 360f952b-360f9530 553->554 555 360f9578-360f9587 553->555 556 360f9534-360f953a 554->556 555->556 557 360f9589-360f958e 555->557 558 360f9695-360f96bd call 36099020 556->558 559 360f9540-360f9564 call 36099020 556->559 560 360f9d13-360f9d27 call 36094c30 557->560 569 360f96bf-360f96da call 360f9d2a 558->569 570 360f96dc-360f9712 558->570 567 360f9566-360f9573 call 3611972b 559->567 568 360f9593-360f9634 GetPEB call 360fdc65 559->568 579 360f967d-360f9690 RtlDebugPrintTimes 567->579 580 360f9636-360f9644 568->580 581 360f9652-360f9667 568->581 574 360f9714-360f9716 569->574 570->574 574->560 578 360f971c-360f9731 RtlDebugPrintTimes 574->578 578->560 587 360f9737-360f973e 578->587 579->560 580->581 582 360f9646-360f964b 580->582 581->579 583 360f9669-360f966e 581->583 582->581 585 360f9673-360f9676 583->585 586 360f9670 583->586 585->579 586->585 587->560 589 360f9744-360f975f 587->589 590 360f9763-360f9774 call 360fa808 589->590 593 360f977a-360f977c 590->593 594 360f9d11 590->594 593->560 595 360f9782-360f9789 593->595 594->560 596 360f978f-360f9794 595->596 597 360f98fc-360f9902 595->597 600 360f97bc 596->600 601 360f9796-360f979c 596->601 598 360f9a9c-360f9aa2 597->598 599 360f9908-360f9937 call 36099020 597->599 603 360f9af4-360f9af9 598->603 604 360f9aa4-360f9aad 598->604 614 360f9939-360f9944 599->614 615 360f9970-360f9985 599->615 606 360f97c0-360f9811 call 36099020 RtlDebugPrintTimes 600->606 601->600 605 360f979e-360f97b2 601->605 609 360f9aff-360f9b07 603->609 610 360f9ba8-360f9bb1 603->610 604->590 608 360f9ab3-360f9aef call 36099020 604->608 611 360f97b8-360f97ba 605->611 612 360f97b4-360f97b6 605->612 606->560 639 360f9817-360f981b 606->639 633 360f9ce9 608->633 618 360f9b09-360f9b0d 609->618 619 360f9b13-360f9b3d call 360f8513 609->619 610->590 616 360f9bb7-360f9bba 610->616 611->606 612->606 621 360f994f-360f996e 614->621 622 360f9946-360f994d 614->622 626 360f9987-360f9989 615->626 627 360f9991-360f9998 615->627 623 360f9c7d-360f9cb4 call 36099020 616->623 624 360f9bc0-360f9c0a 616->624 618->610 618->619 645 360f9d08-360f9d0c 619->645 646 360f9b43-360f9b9e call 36099020 RtlDebugPrintTimes 619->646 632 360f99d9-360f99f6 RtlDebugPrintTimes 621->632 622->621 657 360f9cbb-360f9cc2 623->657 658 360f9cb6 623->658 630 360f9c0c 624->630 631 360f9c11-360f9c1e 624->631 634 360f998f 626->634 635 360f998b-360f998d 626->635 636 360f99bd-360f99bf 627->636 630->631 642 360f9c2a-360f9c2d 631->642 643 360f9c20-360f9c23 631->643 632->560 665 360f99fc-360f9a1f call 36099020 632->665 644 360f9ced 633->644 634->627 635->627 640 360f999a-360f99a4 636->640 641 360f99c1-360f99d7 636->641 648 360f981d-360f9825 639->648 649 360f986b-360f9880 639->649 654 360f99ad 640->654 655 360f99a6 640->655 641->632 652 360f9c2f-360f9c32 642->652 653 360f9c39-360f9c7b 642->653 643->642 651 360f9cf1-360f9d06 RtlDebugPrintTimes 644->651 645->590 646->560 682 360f9ba4 646->682 662 360f9827-360f9850 call 360f8513 648->662 663 360f9852-360f9869 648->663 664 360f9886-360f9894 649->664 651->560 651->645 652->653 653->651 659 360f99af-360f99b1 654->659 655->641 666 360f99a8-360f99ab 655->666 660 360f9ccd 657->660 661 360f9cc4-360f9ccb 657->661 658->657 668 360f99bb 659->668 669 360f99b3-360f99b5 659->669 670 360f9cd1-360f9cd7 660->670 661->670 672 360f9898-360f98ef call 36099020 RtlDebugPrintTimes 662->672 663->664 664->672 685 360f9a3d-360f9a58 665->685 686 360f9a21-360f9a3b 665->686 666->659 668->636 669->668 676 360f99b7-360f99b9 669->676 677 360f9cde-360f9ce4 670->677 678 360f9cd9-360f9cdc 670->678 672->560 690 360f98f5-360f98f7 672->690 676->636 677->644 683 360f9ce6 677->683 678->633 682->610 683->633 687 360f9a5d-360f9a8b RtlDebugPrintTimes 685->687 686->687 687->560 691 360f9a91-360f9a97 687->691 690->645 691->616
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID: $ $0
                                              • API String ID: 3446177414-3352262554
                                              • Opcode ID: c36d708c1aec3a4c7000442d41cbd12ac523d5bf44874249eb47b82a2f2e65e2
                                              • Instruction ID: 81403c51981564d6c260e36d13fe7bd7c218effeb815d9538be11e3157f05ab8
                                              • Opcode Fuzzy Hash: c36d708c1aec3a4c7000442d41cbd12ac523d5bf44874249eb47b82a2f2e65e2
                                              • Instruction Fuzzy Hash: BD3234B1A183818FE310CF69C985B8BBBE5BBC8344F10496EF5D98B250D776D948CB52
                                              Function 36088620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 762 36088620-36088681 763 360c5297-360c529d 762->763 764 36088687-36088698 762->764 763->764 765 360c52a3-360c52b0 GetPEB 763->765 765->764 766 360c52b6-360c52b9 765->766 767 360c52bb-360c52c5 766->767 768 360c52d6-360c52fc call 36092ce0 766->768 767->764 769 360c52cb-360c52d4 767->769 768->764 774 360c5302-360c5306 768->774 771 360c532d-360c5341 call 360554a0 769->771 777 360c5347-360c5353 771->777 774->764 776 360c530c-360c5321 call 36092ce0 774->776 776->764 785 360c5327 776->785 779 360c555c-360c5568 call 360c556d 777->779 780 360c5359-360c536d 777->780 779->764 783 360c536f 780->783 784 360c538b-360c5401 780->784 787 360c5371-360c5378 783->787 790 360c543a-360c543d 784->790 791 360c5403-360c5435 call 3604fd50 784->791 785->771 787->784 789 360c537a-360c537c 787->789 792 360c537e-360c5381 789->792 793 360c5383-360c5385 789->793 795 360c5514-360c5517 790->795 796 360c5443-360c5494 790->796 804 360c554d-360c5552 call 360da4b0 791->804 792->787 793->784 798 360c5555-360c5557 793->798 795->798 799 360c5519-360c5548 call 3604fd50 795->799 801 360c54ce-360c5512 call 3604fd50 * 2 796->801 802 360c5496-360c54cc call 3604fd50 796->802 798->777 799->804 801->804 802->804 804->798
                                              Strings
                                              • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 360C54E2
                                              • undeleted critical section in freed memory, xrefs: 360C542B
                                              • corrupted critical section, xrefs: 360C54C2
                                              • double initialized or corrupted critical section, xrefs: 360C5508
                                              • Thread identifier, xrefs: 360C553A
                                              • Invalid debug info address of this critical section, xrefs: 360C54B6
                                              • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 360C54CE
                                              • Address of the debug info found in the active list., xrefs: 360C54AE, 360C54FA
                                              • Critical section address, xrefs: 360C5425, 360C54BC, 360C5534
                                              • 8, xrefs: 360C52E3
                                              • Critical section address., xrefs: 360C5502
                                              • Thread is in a state in which it cannot own a critical section, xrefs: 360C5543
                                              • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 360C540A, 360C5496, 360C5519
                                              • Critical section debug info address, xrefs: 360C541F, 360C552E
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                              • API String ID: 0-2368682639
                                              • Opcode ID: 82824ae1534428d49fdd240e6c7a24f66a9c972ef9d9220720b1c787bd040770
                                              • Instruction ID: 0305c5c7fc0161456df18aad2d177216b155daef9905e9544942079598c36222
                                              • Opcode Fuzzy Hash: 82824ae1534428d49fdd240e6c7a24f66a9c972ef9d9220720b1c787bd040770
                                              • Instruction Fuzzy Hash: 698188B4901258AFEB11CF95C882BAEBFF9BB48315F2041D9F504BB280D775A951CFA0
                                              Function 36100274 Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 348timeCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 933 36100274-36100296 call 360a7e54 936 361002b5-361002cd call 360476b2 933->936 937 36100298-361002b0 RtlDebugPrintTimes 933->937 942 361002d3-361002e9 936->942 943 361006f7 936->943 941 36100751-36100760 937->941 945 361002f0-361002f2 942->945 946 361002eb-361002ee 942->946 944 361006fa-3610074e call 36100766 943->944 944->941 948 361002f3-3610030a 945->948 946->948 950 36100310-36100313 948->950 951 361006b1-361006ba GetPEB 948->951 950->951 952 36100319-36100322 950->952 954 361006d9-361006de call 3604b970 951->954 955 361006bc-361006d7 GetPEB call 3604b970 951->955 956 36100324-3610033b call 3605ffb0 952->956 957 3610033e-36100351 call 36100cb5 952->957 963 361006e3-361006f4 call 3604b970 954->963 955->963 956->957 968 36100353-3610035a 957->968 969 3610035c-36100370 call 3604758f 957->969 963->943 968->969 972 361005a2-361005a7 969->972 973 36100376-36100382 GetPEB 969->973 972->944 976 361005ad-361005b9 GetPEB 972->976 974 361003f0-361003fb 973->974 975 36100384-36100387 973->975 977 36100401-36100408 974->977 978 361004e8-361004fa call 360627f0 974->978 979 361003a6-361003ab call 3604b970 975->979 980 36100389-361003a4 GetPEB call 3604b970 975->980 981 36100627-36100632 976->981 982 361005bb-361005be 976->982 977->978 987 3610040e-36100417 977->987 1001 36100590-3610059d call 361011a4 call 36100cb5 978->1001 1002 36100500-36100507 978->1002 991 361003b0-361003d1 call 3604b970 GetPEB 979->991 980->991 981->944 988 36100638-36100643 981->988 983 361005c0-361005db GetPEB call 3604b970 982->983 984 361005dd-361005e2 call 3604b970 982->984 1000 361005e7-361005fb call 3604b970 983->1000 984->1000 994 36100438-3610043c 987->994 995 36100419-36100429 987->995 988->944 996 36100649-36100654 988->996 991->978 1021 361003d7-361003eb 991->1021 1005 3610044e-36100454 994->1005 1006 3610043e-3610044c call 36083bc9 994->1006 995->994 1003 3610042b-36100435 call 3610dac6 995->1003 996->944 1004 3610065a-36100663 GetPEB 996->1004 1032 361005fe-36100608 GetPEB 1000->1032 1001->972 1010 36100512-3610051a 1002->1010 1011 36100509-36100510 1002->1011 1003->994 1014 36100682-36100687 call 3604b970 1004->1014 1015 36100665-36100680 GetPEB call 3604b970 1004->1015 1007 36100457-36100460 1005->1007 1006->1007 1019 36100472-36100475 1007->1019 1020 36100462-36100470 1007->1020 1023 36100538-3610053c 1010->1023 1024 3610051c-3610052c 1010->1024 1011->1010 1029 3610068c-361006ac call 360f86ba call 3604b970 1014->1029 1015->1029 1030 361004e5 1019->1030 1031 36100477-3610047e 1019->1031 1020->1019 1021->978 1035 3610056c-36100572 1023->1035 1036 3610053e-36100551 call 36083bc9 1023->1036 1024->1023 1033 3610052e-36100533 call 3610dac6 1024->1033 1029->1032 1030->978 1031->1030 1038 36100480-3610048b 1031->1038 1032->944 1040 3610060e-36100622 1032->1040 1033->1023 1039 36100575-3610057c 1035->1039 1047 36100563 1036->1047 1048 36100553-36100561 call 3607fe99 1036->1048 1038->1030 1045 3610048d-36100496 GetPEB 1038->1045 1039->1001 1046 3610057e-3610058e 1039->1046 1040->944 1050 361004b5-361004ba call 3604b970 1045->1050 1051 36100498-361004b3 GetPEB call 3604b970 1045->1051 1046->1001 1053 36100566-3610056a 1047->1053 1048->1053 1059 361004bf-361004dd call 360f86ba call 3604b970 1050->1059 1051->1059 1053->1039 1059->1030
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                              • API String ID: 3446177414-1700792311
                                              • Opcode ID: 7a53a2a1a5b238b4768de97e94dfac5b554f1a622940d7f21d9442cd328c8d6c
                                              • Instruction ID: 5612101966a7c898a2e6c84e438ca01acfc4e4915c715d73ae29eab4cd03dd62
                                              • Opcode Fuzzy Hash: 7a53a2a1a5b238b4768de97e94dfac5b554f1a622940d7f21d9442cd328c8d6c
                                              • Instruction Fuzzy Hash: D2D10E79914680EFDF12DFA4C801AA9BFF2FF4A306F448099E444AB252CB39D981CF55
                                              Function 360FF525 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 231timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
                                              • API String ID: 3446177414-1745908468
                                              • Opcode ID: 0b751d0ee354d46ef269d1639c007ecf117fe0e99f1355bf4631f8334b0427f3
                                              • Instruction ID: 4c85dd294b79d3f766bfc0227304c9ef3e3d3f78d8b0e75d0a37a15726acba92
                                              • Opcode Fuzzy Hash: 0b751d0ee354d46ef269d1639c007ecf117fe0e99f1355bf4631f8334b0427f3
                                              • Instruction Fuzzy Hash: 0E910E75920640DFDB12CFA9C842A9DBFF2FF49714F1880D9E444AB2A1CB769882CF55
                                              Function 3604645D Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 150timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RtlDebugPrintTimes.NTDLL ref: 3604656C
                                                • Part of subcall function 360465B5: RtlDebugPrintTimes.NTDLL ref: 36046664
                                                • Part of subcall function 360465B5: RtlDebugPrintTimes.NTDLL ref: 360466AF
                                              Strings
                                              • minkernel\ntdll\ldrinit.c, xrefs: 360A9A11, 360A9A3A
                                              • Getting the shim engine exports failed with status 0x%08lx, xrefs: 360A9A01
                                              • apphelp.dll, xrefs: 36046496
                                              • LdrpInitShimEngine, xrefs: 360A99F4, 360A9A07, 360A9A30
                                              • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 360A9A2A
                                              • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 360A99ED
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                              • API String ID: 3446177414-204845295
                                              • Opcode ID: 7fa7dcbbfe24d6ea760c923e281f29ecee85cef572f027098a854251ca8da1c4
                                              • Instruction ID: 62964c4a8f6f17ac8d1eb62e3ceb890d5393292563db2c36ca6629c90c37b792
                                              • Opcode Fuzzy Hash: 7fa7dcbbfe24d6ea760c923e281f29ecee85cef572f027098a854251ca8da1c4
                                              • Instruction Fuzzy Hash: 2C51D1716283009FE321DF61CD42A5F7FE6FF84784F5049AAF585AB160EA30E954CB92
                                              Function 361012ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
                                              • API String ID: 0-3591852110
                                              • Opcode ID: dd7ea18b7d1d3bb963976724deaf63335dc34483611974e8acac0f5023093407
                                              • Instruction ID: 1cc75fd33f74b55edd37e7e8748e8c7756d9c098bbc893164bb71060e6d16648
                                              • Opcode Fuzzy Hash: dd7ea18b7d1d3bb963976724deaf63335dc34483611974e8acac0f5023093407
                                              • Instruction Fuzzy Hash: E912AE74A00641EFEB66CFA5C442BA6BFF1FF09314F558899E4858B651DB38E880CF91
                                              Function 3604D34C Relevance: 11.6, Strings: 9, Instructions: 312COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
                                              • API String ID: 0-3532704233
                                              • Opcode ID: c7a59db31c3ac885c69a708d3391ecd7b4a16d4b4d1acfa2fd7bde0342ab1381
                                              • Instruction ID: 6747f77729db781f9199d3b305591583915bfc1b2257ab56e65d513860532baf
                                              • Opcode Fuzzy Hash: c7a59db31c3ac885c69a708d3391ecd7b4a16d4b4d1acfa2fd7bde0342ab1381
                                              • Instruction Fuzzy Hash: BAB1BDB19183519FD722DF54C842A5FBFE8AB84784F0209AEF898D7290DB70D944CF92
                                              Function 3607D7B0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 151timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RtlDebugPrintTimes.NTDLL ref: 3607D959
                                                • Part of subcall function 36054859: RtlDebugPrintTimes.NTDLL ref: 360548F7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
                                              • API String ID: 3446177414-1975516107
                                              • Opcode ID: af5dc41f1190d92907caa720823cb79ad996285a49b3ec1130dd7877b9caefad
                                              • Instruction ID: 32105647f3b87966af18231a6e36b630ace26dbea50eec59f76d4e3fb9c3e193
                                              • Opcode Fuzzy Hash: af5dc41f1190d92907caa720823cb79ad996285a49b3ec1130dd7877b9caefad
                                              • Instruction Fuzzy Hash: 9351DCB5E043459FEB01CFA5C98678DBFF2BF44358F248199C5207B281DBB0A892CB95
                                              Function 3607245A Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 111COMMON
                                              Download Yara Rule
                                              Strings
                                              • minkernel\ntdll\ldrinit.c, xrefs: 360BA9A2
                                              • LdrpDynamicShimModule, xrefs: 360BA998
                                              • apphelp.dll, xrefs: 36072462
                                              • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 360BA992
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                              • API String ID: 0-176724104
                                              • Opcode ID: 50fa43ad2453af296fb632cbe4a19d5a3d08f6a50b705022126971b3dea66517
                                              • Instruction ID: 00aeb070d0665a44f057cf4b2ce8148b8884477cd4b0e06387d0fc6818fee987
                                              • Opcode Fuzzy Hash: 50fa43ad2453af296fb632cbe4a19d5a3d08f6a50b705022126971b3dea66517
                                              • Instruction Fuzzy Hash: A8312875A10301EBEB169F59C942A5EBFF5FF84754F6140D9E600B7240CBB0D892DB90
                                              Function 36082674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                              Download Yara Rule
                                              Strings
                                              • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 360C219F
                                              • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 360C2180
                                              • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 360C21BF
                                              • RtlGetAssemblyStorageRoot, xrefs: 360C2160, 360C219A, 360C21BA
                                              • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 360C2178
                                              • SXS: %s() passed the empty activation context, xrefs: 360C2165
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                              • API String ID: 0-861424205
                                              • Opcode ID: 61bc35b23b6a14d76efbdebdb1b403bb84137db078c7a69ab2281afc72799653
                                              • Instruction ID: b5b9f17f220afd8ec7ba580a015f29a017744bea7a2b78d20fdaf3b8ad622e14
                                              • Opcode Fuzzy Hash: 61bc35b23b6a14d76efbdebdb1b403bb84137db078c7a69ab2281afc72799653
                                              • Instruction Fuzzy Hash: C8312676E41224ABF710CA9ACC47F5E7FA8EB65685F0140D9BE04AB250D670DE00CAE9
                                              Function 3608C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                              Download Yara Rule
                                              Strings
                                              • minkernel\ntdll\ldrinit.c, xrefs: 3608C6C3
                                              • Loading import redirection DLL: '%wZ', xrefs: 360C8170
                                              • minkernel\ntdll\ldrredirect.c, xrefs: 360C8181, 360C81F5
                                              • LdrpInitializeImportRedirection, xrefs: 360C8177, 360C81EB
                                              • LdrpInitializeProcess, xrefs: 3608C6C4
                                              • Unable to build import redirection Table, Status = 0x%x, xrefs: 360C81E5
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                              • API String ID: 0-475462383
                                              • Opcode ID: 6f199d7cc4d6388b0f2533cf143fe7d073fcdb1b7645da668363a92c917cdc86
                                              • Instruction ID: e28077497bab46b1e39005eacf3891bbe7f5fc160e76d6d15a0bb5ac2abb1e50
                                              • Opcode Fuzzy Hash: 6f199d7cc4d6388b0f2533cf143fe7d073fcdb1b7645da668363a92c917cdc86
                                              • Instruction Fuzzy Hash: 4531C0B16053459FD210DB29CE87E1E7FE5EF84611F4405E8F9856B291E620DC05CBA7
                                              Function 36060770 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 414COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                              • API String ID: 0-4253913091
                                              • Opcode ID: 8791ecf9dda783726f4653c4381818f21e0ce9501ae21e4297e7f01423811f28
                                              • Instruction ID: 6828655daea46214697c3ef99c1545825bfc096bd7ca31f9aae9e9dbfcdaa144
                                              • Opcode Fuzzy Hash: 8791ecf9dda783726f4653c4381818f21e0ce9501ae21e4297e7f01423811f28
                                              • Instruction Fuzzy Hash: 67F1B274A00605DFEB05CFA6CA92B5ABBF2FF45348F1481E8E4469B351D734E981CB91
                                              Function 3607F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                              Download Yara Rule
                                              Strings
                                              • RTL: Re-Waiting, xrefs: 360C031E
                                              • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 360C02E7
                                              • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 360C02BD
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                              • API String ID: 0-2474120054
                                              • Opcode ID: c55891b8d6686b329f3f22b9e4b233e731927971b0b6a4aa3ec923325b762665
                                              • Instruction ID: 7f6f9a5d79d970a1f11db5c89b1316b8ba0e526636971770f18b8050b27fb5c3
                                              • Opcode Fuzzy Hash: c55891b8d6686b329f3f22b9e4b233e731927971b0b6a4aa3ec923325b762665
                                              • Instruction Fuzzy Hash: C6E1DF74A04741DFE311CF29C982B1ABBE1BF84358F200A9DF5A58B2E0DB75D944CB96
                                              Function 3608C720 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 141timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              • minkernel\ntdll\ldrinit.c, xrefs: 360C82E8
                                              • Failed to reallocate the system dirs string !, xrefs: 360C82D7
                                              • LdrpInitializePerUserWindowsDirectory, xrefs: 360C82DE
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                              • API String ID: 3446177414-1783798831
                                              • Opcode ID: 404634cf3e76aaa6d87c0b1953cf9229fe8f16c40c02396bb8f95a0e184f07dd
                                              • Instruction ID: e1090fd31f75e259a2d053277c4d880569a5ea1cfc5d4c95ca18007976de39a0
                                              • Opcode Fuzzy Hash: 404634cf3e76aaa6d87c0b1953cf9229fe8f16c40c02396bb8f95a0e184f07dd
                                              • Instruction Fuzzy Hash: A1410FB5914310ABD322DB64CE46B4B3FF9EF45754F0049AAFA48E7290EB34D811CB96
                                              Function 360D4755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              • LdrpCheckRedirection, xrefs: 360D488F
                                              • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 360D4888
                                              • minkernel\ntdll\ldrredirect.c, xrefs: 360D4899
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                              • API String ID: 3446177414-3154609507
                                              • Opcode ID: 8bfa66388ceff09098d6dfd718b711ab9ad54f0b2de18721c476def8e70e7ecc
                                              • Instruction ID: 61d93a86d33fb0c28b4199a0a28e3399af49475ce7ef78ea45b0868f6d9cc2b2
                                              • Opcode Fuzzy Hash: 8bfa66388ceff09098d6dfd718b711ab9ad54f0b2de18721c476def8e70e7ecc
                                              • Instruction Fuzzy Hash: 3C41AF76A143619FDB11CE59C942A1ABFE5BF49690F0107E9ED88A7211D770D810CBE1
                                              Function 3612B16B Relevance: 6.4, APIs: 4, Instructions: 450timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID:
                                              • API String ID: 3446177414-0
                                              • Opcode ID: 60f45d138b2912ac9702425b2d51308abfee6e2d2592076d3cada3c69a81d18c
                                              • Instruction ID: a06fc0192602dc1c6eb45a021584ccd764b9fb040cfe862ef657db8a83cc5566
                                              • Opcode Fuzzy Hash: 60f45d138b2912ac9702425b2d51308abfee6e2d2592076d3cada3c69a81d18c
                                              • Instruction Fuzzy Hash: D5F11976E006118FDB08CF69C9E067EBBF6EF88214B5A416DD456DB380E734EA41CB90
                                              Function 360476B2 Relevance: 6.3, Strings: 5, Instructions: 51COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
                                              • API String ID: 0-3061284088
                                              • Opcode ID: 3b171b5ad471f1d4c91b2cd2dcc33d2bba1925a074cc6ac5bbb852103bd568dd
                                              • Instruction ID: d811f26d697327b48152858d2076460aba700cdf295dee34795e9ea375787006
                                              • Opcode Fuzzy Hash: 3b171b5ad471f1d4c91b2cd2dcc33d2bba1925a074cc6ac5bbb852103bd568dd
                                              • Instruction Fuzzy Hash: F5012836024290EEE22793A4D90FF967FF4EF427B1F2440E9E00047990CF699C84CA61
                                              Function 360504E5 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 3605063D
                                              • kLsE, xrefs: 36050540
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                              • API String ID: 3446177414-2547482624
                                              • Opcode ID: ec8f36c73635c43c2cec5ab3023362d889620ed635418446f53bf69fec24ad6b
                                              • Instruction ID: d532bd618a1e159a52d74da2970e7a01985b87b042209a6c21826a6372906ae8
                                              • Opcode Fuzzy Hash: ec8f36c73635c43c2cec5ab3023362d889620ed635418446f53bf69fec24ad6b
                                              • Instruction Fuzzy Hash: 6F51CFB59187468FD314DF65C64269BBFE4AF84304F1188BEEADA87240E730D585CF92
                                              Function 3605A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                              • API String ID: 0-379654539
                                              • Opcode ID: 0e60275c3330c5c4943a03b4239790c15eb7c8b6dad6b21a267f1ef66bcb898f
                                              • Instruction ID: d5ab349402b1e6c7d03d998091f12be279ae1dfc888e4966df26db302fe70489
                                              • Opcode Fuzzy Hash: 0e60275c3330c5c4943a03b4239790c15eb7c8b6dad6b21a267f1ef66bcb898f
                                              • Instruction Fuzzy Hash: C4C1B17450C382CFE701CF55C541B6ABBE4FF84748F0189A9FA94AB250EBB4C949CB96
                                              Function 36088402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                              Download Yara Rule
                                              Strings
                                              • minkernel\ntdll\ldrinit.c, xrefs: 36088421
                                              • LdrpInitializeProcess, xrefs: 36088422
                                              • @, xrefs: 36088591
                                              • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 3608855E
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                              • API String ID: 0-1918872054
                                              • Opcode ID: 6b30244f94f87085983704fb76129f8253d940fd6254029751ec4ed3ab84a9d2
                                              • Instruction ID: f1c21d8f467c2e64ddb769810987f8a843da337e1a158161b8688d67123d5a19
                                              • Opcode Fuzzy Hash: 6b30244f94f87085983704fb76129f8253d940fd6254029751ec4ed3ab84a9d2
                                              • Instruction Fuzzy Hash: 71918C71518344AFE321CE62CD82EAFBEE9BF84794F4009ADFA8496150E734C944CB66
                                              Function 3608273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                              Download Yara Rule
                                              Strings
                                              • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 360C21D9, 360C22B1
                                              • .Local, xrefs: 360828D8
                                              • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 360C22B6
                                              • SXS: %s() passed the empty activation context, xrefs: 360C21DE
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                              • API String ID: 0-1239276146
                                              • Opcode ID: 647feb0b9eb588246b919f7fac6c5806dd233da2217005d5a21f1924da47bac8
                                              • Instruction ID: dd9cd10c8e8d763e871db95f8c092965f7576010a807df48c9bb3bc7a58cdbe4
                                              • Opcode Fuzzy Hash: 647feb0b9eb588246b919f7fac6c5806dd233da2217005d5a21f1924da47bac8
                                              • Instruction Fuzzy Hash: 24A18C75D012299BDB24CF65D886B99BBB1FF58314F2141EAD848AB250D7309EC0CFD8
                                              Function 360564AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                              Download Yara Rule
                                              Strings
                                              • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 360B1028
                                              • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 360B0FE5
                                              • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 360B106B
                                              • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 360B10AE
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                              • API String ID: 0-1468400865
                                              • Opcode ID: 208b1e6fb7ef179e4af68bb2cf37f226fb32195945ca1dc391add701384d41e2
                                              • Instruction ID: 7f992dcded2d63f1b82b7c74b5e87010bffec9f3e8f3dee4a0b3e4665e6fa385
                                              • Opcode Fuzzy Hash: 208b1e6fb7ef179e4af68bb2cf37f226fb32195945ca1dc391add701384d41e2
                                              • Instruction Fuzzy Hash: AD710FB1918304AFDB10CF14C986B8B7FE8AF847A4F5045A8F9488B266D734D598CFD2
                                              Function 3604F626 Relevance: 5.2, Strings: 4, Instructions: 188COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
                                              • API String ID: 0-2586055223
                                              • Opcode ID: 66d8cb93ae9458566711f18dbc37303a23816dcebd27787255520b094d6797dd
                                              • Instruction ID: d3774d8ff2799b3647fd6b02b9bd627ca1bf0509d066681b6f563eb70cfde9cf
                                              • Opcode Fuzzy Hash: 66d8cb93ae9458566711f18dbc37303a23816dcebd27787255520b094d6797dd
                                              • Instruction Fuzzy Hash: FE612576604740AFE312DB64DD46F6B7FE9EF80794F1404E8E9548B291CB34E940CBA2
                                              Function 36051460 Relevance: 4.1, Strings: 3, Instructions: 385COMMON
                                              Download Yara Rule
                                              Strings
                                              • HEAP: , xrefs: 36051596
                                              • HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 36051728
                                              • HEAP[%wZ]: , xrefs: 36051712
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                              • API String ID: 0-3178619729
                                              • Opcode ID: 6a64e187a1c7e2158797f712816c820417a610da48630981ce8d9cc16e09eb7f
                                              • Instruction ID: 651e8c62fb5992bfefffee3927eef6a0a2e367c3b87b49711adb400dd138b198
                                              • Opcode Fuzzy Hash: 6a64e187a1c7e2158797f712816c820417a610da48630981ce8d9cc16e09eb7f
                                              • Instruction Fuzzy Hash: E1E10F74A08355DFEB15CF69C482A7ABFF1EF48344F1584D9E6928B241DB34E881CB90
                                              Function 3605B6C0 Relevance: 4.1, Strings: 3, Instructions: 303COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
                                              • API String ID: 0-1145731471
                                              • Opcode ID: f2d0d1e223571f77b9761fc0356b37939ec3ab264d170c026ec1d67ef4f32695
                                              • Instruction ID: 06d647dd72310726f8efa99ef3dfa5a093237c79a3434962461cd162237b417c
                                              • Opcode Fuzzy Hash: f2d0d1e223571f77b9761fc0356b37939ec3ab264d170c026ec1d67ef4f32695
                                              • Instruction Fuzzy Hash: E3B1CF75E087189FEB19CF66C992B9DBBF1AF44354F2584AAE511EB280D7B0E840CB41
                                              Function 360D368C Relevance: 4.0, Strings: 3, Instructions: 292COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: @$DelegatedNtdll$\SystemRoot\system32\
                                              • API String ID: 0-2391371766
                                              • Opcode ID: c36013dd1da3609dc39d864ebdf131ee9153b94b1c09969c29e04b584eecc332
                                              • Instruction ID: 68647cf4e583a06191b10550f3f901895049a01bc9da75c5e60f4a013ee8fcf1
                                              • Opcode Fuzzy Hash: c36013dd1da3609dc39d864ebdf131ee9153b94b1c09969c29e04b584eecc332
                                              • Instruction Fuzzy Hash: F5B1DFB1614341AFE715CF65CC82B5BBBE8EB46754F000AA9FA40A7290D771E854CBD2
                                              Function 360E36EE Relevance: 4.0, Strings: 3, Instructions: 236COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: @$LdrpResMapFile Enter$LdrpResMapFile Exit
                                              • API String ID: 0-318774311
                                              • Opcode ID: e77ab76e7f4d8159a757626aa96c88affc834317e373e4bf83382026ed29b94b
                                              • Instruction ID: 46fcca29a8bb9b105ab58ee3a50adb74f78447ddd4113192a72b98d0af7ad7b4
                                              • Opcode Fuzzy Hash: e77ab76e7f4d8159a757626aa96c88affc834317e373e4bf83382026ed29b94b
                                              • Instruction Fuzzy Hash: 3281C2B5608760AFE315CB25C942B6ABFE8EF84794F4019ADF980D7390DB74D904CB92
                                              Function 360D7410 Relevance: 4.0, Strings: 3, Instructions: 233COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Objects=%4u$Objects>%4u$VirtualAlloc
                                              • API String ID: 0-3870751728
                                              • Opcode ID: 2f3d6eb0b7a4a5fd5157753475237dc0aed0121378d53289dc0539a2feec1080
                                              • Instruction ID: 6b4e2f2e19fe9add684c511b05b19c44ed38e4e867dc586a27b6934b12fb57cd
                                              • Opcode Fuzzy Hash: 2f3d6eb0b7a4a5fd5157753475237dc0aed0121378d53289dc0539a2feec1080
                                              • Instruction Fuzzy Hash: 02915CB4E003159FEB14CF69C885B9DBBF1FF48304F2482AAE905AB291E7759841CF95
                                              Function 3605B440 Relevance: 4.0, Strings: 3, Instructions: 221COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: LdrpResGetResourceDirectory Enter$LdrpResGetResourceDirectory Exit${
                                              • API String ID: 0-373624363
                                              • Opcode ID: 4ec198317dd0800537e42f316f08d345e8bb340716dc694a57896117cedf8410
                                              • Instruction ID: 9894306e17d269ad1d5b48e0d8922da1e17a06473239dad2a9495b63106c3bc5
                                              • Opcode Fuzzy Hash: 4ec198317dd0800537e42f316f08d345e8bb340716dc694a57896117cedf8410
                                              • Instruction Fuzzy Hash: 0591AFB5D08319CBEF25CF65C96279E7BB0EF05354F2581D5E900AB290D7B8EA80CB91
                                              Function 3612B73C Relevance: 3.9, Strings: 3, Instructions: 180COMMON
                                              Download Yara Rule
                                              Strings
                                              • \Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 3612B82A
                                              • GlobalizationUserSettings, xrefs: 3612B834
                                              • TargetNtPath, xrefs: 3612B82F
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
                                              • API String ID: 0-505981995
                                              • Opcode ID: b01c4c6806398b6b21cf151cde8a433d1f3758218a655138aeb1ec31b6eaede8
                                              • Instruction ID: fccd33770b730f1542a72c413a7457f4f2f9267d24cbd91c68d830d5d510a821
                                              • Opcode Fuzzy Hash: b01c4c6806398b6b21cf151cde8a433d1f3758218a655138aeb1ec31b6eaede8
                                              • Instruction Fuzzy Hash: E2617CB2D41229AFDB21DF55DC89B9ABBB8EF14718F4101E5E508AB250DB34DE84CF90
                                              Function 3604F7BA Relevance: 3.9, Strings: 3, Instructions: 167COMMON
                                              Download Yara Rule
                                              Strings
                                              • HEAP: , xrefs: 360AE6B3
                                              • RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 360AE6C6
                                              • HEAP[%wZ]: , xrefs: 360AE6A6
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
                                              • API String ID: 0-1340214556
                                              • Opcode ID: a5526be07dd9da6be5d4d59a78414aba2630540fac9d69508a26aaa58c282696
                                              • Instruction ID: ebe520f15375c17aefc51dc2ba7b1bff27e1ba8fdf0c5cabaa76facc82bd31fd
                                              • Opcode Fuzzy Hash: a5526be07dd9da6be5d4d59a78414aba2630540fac9d69508a26aaa58c282696
                                              • Instruction Fuzzy Hash: F451E375A00744EFE322DBA5C996FAABFF8EF45384F1000E4E6408B691D774E940DB51
                                              Function 360715F4 Relevance: 3.9, Strings: 3, Instructions: 166COMMON
                                              Download Yara Rule
                                              Strings
                                              • minkernel\ntdll\ldrmap.c, xrefs: 360BA59A
                                              • LdrpCompleteMapModule, xrefs: 360BA590
                                              • Could not validate the crypto signature for DLL %wZ, xrefs: 360BA589
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                                              • API String ID: 0-1676968949
                                              • Opcode ID: 3e9f564eb73a3a03b2cae73338a9f62243b965c8948ec0fa34914b258dfcb5b9
                                              • Instruction ID: 2e2c25bedb4bd04d28810a082ab5bffa950b50f672abb65d1213ba340d808388
                                              • Opcode Fuzzy Hash: 3e9f564eb73a3a03b2cae73338a9f62243b965c8948ec0fa34914b258dfcb5b9
                                              • Instruction Fuzzy Hash: 0D5124B4A007419FFB11CB29CE42B0A7FE5EF00758F1842E5E950AB2E1DB74EA40C799
                                              Function 3604758F Relevance: 3.9, Strings: 3, Instructions: 132COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: HEAP: $HEAP[%wZ]: $Invalid address specified to %s( %p, %p )
                                              • API String ID: 0-1151232445
                                              • Opcode ID: ff12bbe474b9f1cdb49e998b08ca4bbfca163e93397bbea1bf5a1bc8c6fb1836
                                              • Instruction ID: 325a01bed4c5a627d9d49547c51dfe826ecab07a69c5a3a69ca65897e56cc910
                                              • Opcode Fuzzy Hash: ff12bbe474b9f1cdb49e998b08ca4bbfca163e93397bbea1bf5a1bc8c6fb1836
                                              • Instruction Fuzzy Hash: 5D415AB4A503808FFB2ADADAC4867697FE29F053C8F6440FDD4455B186CAB8D885CF51
                                              Function 360816CF Relevance: 3.9, Strings: 3, Instructions: 127COMMON
                                              Download Yara Rule
                                              Strings
                                              • minkernel\ntdll\ldrtls.c, xrefs: 360C1B4A
                                              • LdrpAllocateTls, xrefs: 360C1B40
                                              • TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 360C1B39
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
                                              • API String ID: 0-4274184382
                                              • Opcode ID: bd97dc9fe483c140a64b4f415b8f8f67414a669ad77049d9cf4925e9d6a57f40
                                              • Instruction ID: c84d1fe306fa7cc13e7244845e1016ad85dae2f4852166ed8b3506d401dfe178
                                              • Opcode Fuzzy Hash: bd97dc9fe483c140a64b4f415b8f8f67414a669ad77049d9cf4925e9d6a57f40
                                              • Instruction Fuzzy Hash: 4F417AB5E00609EFDB05CFA9CD42AAEBFF6FF48355F548199E505A7210DB35A801CB90
                                              Function 360833A0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
                                              Download Yara Rule
                                              Strings
                                              • SXS: %s() passed the empty activation context data, xrefs: 360C29FE
                                              • Actx , xrefs: 360833AC
                                              • RtlCreateActivationContext, xrefs: 360C29F9
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
                                              • API String ID: 0-859632880
                                              • Opcode ID: 3b34913b3bf52aba394448d61a23f3e46e9ceade860dab5192e95d8c906464c9
                                              • Instruction ID: 92f66f8714fe021e5787f0c5ecf0c2c9b3eec60f65e98e7fc38c5eb20f7b9b25
                                              • Opcode Fuzzy Hash: 3b34913b3bf52aba394448d61a23f3e46e9ceade860dab5192e95d8c906464c9
                                              • Instruction Fuzzy Hash: 43311832600315DFEB1ACFA5D882B9A7FA4EBC4714F5144A9ED089F251DB71E851C790
                                              Function 360DB594 Relevance: 3.9, Strings: 3, Instructions: 107COMMON
                                              Download Yara Rule
                                              Strings
                                              • @, xrefs: 360DB670
                                              • GlobalFlag, xrefs: 360DB68F
                                              • \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\, xrefs: 360DB632
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: @$GlobalFlag$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
                                              • API String ID: 0-4192008846
                                              • Opcode ID: b3a21e4c8fa890bcbfe8a61fe81933854e6683f249365937c9411d07dd186889
                                              • Instruction ID: f3bbd1d9a9459252fc21aa869cdaff30feb3ca7107a790af22728a8cce253201
                                              • Opcode Fuzzy Hash: b3a21e4c8fa890bcbfe8a61fe81933854e6683f249365937c9411d07dd186889
                                              • Instruction Fuzzy Hash: 39316CF5D00219AFDB00DFA5DD82AEEBFB8EF44744F5004A9E605A7150E7389E04CBA4
                                              Function 36081607 Relevance: 3.8, Strings: 3, Instructions: 98COMMON
                                              Download Yara Rule
                                              Strings
                                              • minkernel\ntdll\ldrtls.c, xrefs: 360C1A51
                                              • LdrpInitializeTls, xrefs: 360C1A47
                                              • DLL "%wZ" has TLS information at %p, xrefs: 360C1A40
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
                                              • API String ID: 0-931879808
                                              • Opcode ID: df8a613a9ba4b110595feb68e143279d09325acd92201b000ae447dd3528b37e
                                              • Instruction ID: b55b26f9d6d2e194e572a025a140a13758f3b0456ccf567715766c880df6fb79
                                              • Opcode Fuzzy Hash: df8a613a9ba4b110595feb68e143279d09325acd92201b000ae447dd3528b37e
                                              • Instruction Fuzzy Hash: 3331FF71A10202ABE711CB59CD86F5A7FB9FF40399F1401E9E644BB180EB70ADA5CB90
                                              Function 36091270 Relevance: 3.8, Strings: 3, Instructions: 97COMMON
                                              Download Yara Rule
                                              Strings
                                              • BuildLabEx, xrefs: 3609130F
                                              • @, xrefs: 360912A5
                                              • \Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 3609127B
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                              • API String ID: 0-3051831665
                                              • Opcode ID: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
                                              • Instruction ID: 7b4b90445e4f089768c2631281b4ee739e95b6ec91d63a3f64ef1de00b80f94a
                                              • Opcode Fuzzy Hash: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
                                              • Instruction Fuzzy Hash: ED31A171A00218AFDB11DFA6CD42EDEBFFAEB84764F0044A5E514A71B0D7309A05EB95
                                              Function 360652A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: @$@
                                              • API String ID: 0-149943524
                                              • Opcode ID: 283eb81f4f34886683c91f63e48742b3020922be3ccda4e27943c1e040189216
                                              • Instruction ID: 00db327be899a1eab161f0a3026c120f829372399bbb2a051975ec871460253a
                                              • Opcode Fuzzy Hash: 283eb81f4f34886683c91f63e48742b3020922be3ccda4e27943c1e040189216
                                              • Instruction Fuzzy Hash: 2032B1B49183118FDB15CF56C98273EBBE1EF84748F50899EF985972A0E774C890CB92
                                              Function 36055702 Relevance: 3.1, APIs: 2, Instructions: 104timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID:
                                              • API String ID: 3446177414-0
                                              • Opcode ID: 917b03602c533253b1cd0174447db460c228a7dcb1cbb6bd0825bd42a3538499
                                              • Instruction ID: 5dc764f00f53fa380733d0b4ea30a89c2ad3c593ad3029f3fe6adffbbe1b0eb4
                                              • Opcode Fuzzy Hash: 917b03602c533253b1cd0174447db460c228a7dcb1cbb6bd0825bd42a3538499
                                              • Instruction Fuzzy Hash: 63311234609B06FFEB428F60DE81A89FFA5FF44358F0190A5EA0147A50DBB0E920CBC1
                                              Function 3611A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: `$`
                                              • API String ID: 0-197956300
                                              • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                              • Instruction ID: 1c26945ff2b225080659260b03cd8f62962e32dac302aeb1556d57cfe9a3931a
                                              • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                              • Instruction Fuzzy Hash: 40C1FE716083469BE714CF29C841B6BBFE6AFC4358F048A3DF595CA290DBB5D509CB82
                                              Function 360CE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID: Legacy$UEFI
                                              • API String ID: 2994545307-634100481
                                              • Opcode ID: 9e9bea0e4094385c295ef6cbb49501fe1151b1001333280b0233a395e4e5f799
                                              • Instruction ID: 2c2bedb9fe260adccb9d2439ac5a3cbf32d5edf6cd4732292e2d2f9f8da48440
                                              • Opcode Fuzzy Hash: 9e9bea0e4094385c295ef6cbb49501fe1151b1001333280b0233a395e4e5f799
                                              • Instruction Fuzzy Hash: D4614B71E003189FEB14CFA9C942AADBFF9FB48344F6040B9E549EB291DB719944CB50
                                              Function 3606F720 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID: $$$
                                              • API String ID: 3446177414-233714265
                                              • Opcode ID: b3b05ec05fdace76c4431efb02f5d724b9a864f5310e4b78c111b9316e0ea5ba
                                              • Instruction ID: f05172bc43b0226aac7fcc75bad543d9439fe8d6ffc0a84045a179205ae803c6
                                              • Opcode Fuzzy Hash: b3b05ec05fdace76c4431efb02f5d724b9a864f5310e4b78c111b9316e0ea5ba
                                              • Instruction Fuzzy Hash: 8B61BB71E007499FEB20CFA6CA82B9DBFF2FF44308F1040A9D5156B290CB74A941CB91
                                              Function 3605A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                              Download Yara Rule
                                              Strings
                                              • RtlpResUltimateFallbackInfo Enter, xrefs: 3605A2FB
                                              • RtlpResUltimateFallbackInfo Exit, xrefs: 3605A309
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                              • API String ID: 0-2876891731
                                              • Opcode ID: 0684b0fbc2fd3e47d1b02e917ab4191f3a887e96019936fc9b41511d90d83788
                                              • Instruction ID: 38cdf6c5d09df96de330914b4bd5ca39a09f5fc963e0972cd19c22714ade5fa0
                                              • Opcode Fuzzy Hash: 0684b0fbc2fd3e47d1b02e917ab4191f3a887e96019936fc9b41511d90d83788
                                              • Instruction Fuzzy Hash: 2741AE75A08755DBEB018F6AC842B6E7FF4FF85348F2180E5EA00EB250EA75D940CB85
                                              Function 360E35BA Relevance: 2.6, Strings: 2, Instructions: 99COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit
                                              • API String ID: 0-118005554
                                              • Opcode ID: aa5421bd6e684877a7f408275b81f1cdfbc4703c99420bb7bd79603abd050b9d
                                              • Instruction ID: 257fc77d03fe58b46cb227ab4aa06e1e9ec991a0f7335b5ec6e197e47750df86
                                              • Opcode Fuzzy Hash: aa5421bd6e684877a7f408275b81f1cdfbc4703c99420bb7bd79603abd050b9d
                                              • Instruction Fuzzy Hash: 3E31FC71608B919FD305CB7AD952B1ABFE4EF84354F00A8A9F850CB390EB30D905CB92
                                              Function 3608329E Relevance: 2.6, Strings: 2, Instructions: 93COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: .Local\$@
                                              • API String ID: 0-380025441
                                              • Opcode ID: 36fa15095ec5dfa6c334562b8feb2fc6eea674de7a84218a15e5379fc5d900eb
                                              • Instruction ID: 96ce4d44bfef8b7d4e61779ac253a145fb650684b08d63a65337e5f570a49e60
                                              • Opcode Fuzzy Hash: 36fa15095ec5dfa6c334562b8feb2fc6eea674de7a84218a15e5379fc5d900eb
                                              • Instruction Fuzzy Hash: D73181B5509304AFE315CF79C982A5FBFE8EBC5658F40096EF99883210DA31DD44CB92
                                              Function 360834B0 Relevance: 2.6, Strings: 2, Instructions: 66COMMON
                                              Download Yara Rule
                                              Strings
                                              • RtlpInitializeAssemblyStorageMap, xrefs: 360C2A90
                                              • SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx, xrefs: 360C2A95
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: RtlpInitializeAssemblyStorageMap$SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx
                                              • API String ID: 0-2653619699
                                              • Opcode ID: ac928db6bfd9d2a061e588d3420838aa957470d4311732c1e81d155f21b5d047
                                              • Instruction ID: 68afa79886593f67dfc2e9a667c89055042dd150649c14f1fc254dec14ae8fd7
                                              • Opcode Fuzzy Hash: ac928db6bfd9d2a061e588d3420838aa957470d4311732c1e81d155f21b5d047
                                              • Instruction Fuzzy Hash: 8C110A76B00314ABF719CA998D43F5E7EE99BC4B54F1480E97904DF290DA75DD00C6A4
                                              Function 3608A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID: Cleanup Group$Threadpool!
                                              • API String ID: 2994545307-4008356553
                                              • Opcode ID: 988da0ee86749b1d7fde51cf37daaa637dab7a9bb81c2b9a9482fa9098d3501d
                                              • Instruction ID: c59f9213faefbefd0972b19b05b88f88750d51ca543a4f94ec4c47a6d1f9a371
                                              • Opcode Fuzzy Hash: 988da0ee86749b1d7fde51cf37daaa637dab7a9bb81c2b9a9482fa9098d3501d
                                              • Instruction Fuzzy Hash: D001D1B2111740AFE312CF18CE46B167BE9EB4471AF0089B9A648D7590E774D824CB8A
                                              Function 3605C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: MUI
                                              • API String ID: 0-1339004836
                                              • Opcode ID: 4f3cbebf5fa0eae3451e6f373e1fcd04488e332f5f81377e402df6440cdbe4af
                                              • Instruction ID: 47d178297f811967825364df601e1f30932b97313d7ff9e53dfddd36226a689f
                                              • Opcode Fuzzy Hash: 4f3cbebf5fa0eae3451e6f373e1fcd04488e332f5f81377e402df6440cdbe4af
                                              • Instruction Fuzzy Hash: 38828E79E043188FEB24CFA9C88179DBBB1FF45354F1181AADA19AB290DB309D85CF54
                                              Function 360565D0 Relevance: 1.9, APIs: 1, Instructions: 383COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ffff9390837941d251a281bf74355e69909b78119c4f1df68e251eb3de26f6bb
                                              • Instruction ID: ece4e9528eb9da4515979c50ed41ea0a380b8f47b9d293d59c97230c408563a5
                                              • Opcode Fuzzy Hash: ffff9390837941d251a281bf74355e69909b78119c4f1df68e251eb3de26f6bb
                                              • Instruction Fuzzy Hash: 83E1BB749183418FD704CF28C581A1EBFE0FF89348F168AADEA9587361DB30E955CB92
                                              Function 3607E5E7 Relevance: 1.8, APIs: 1, Instructions: 278COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f215993e15806a8416b03697819fd1ab63b6f4eb7182b2b9124145adb7a7f8d1
                                              • Instruction ID: 7a0e4378dfc5c5cd77b63f0c38c89ff99a0155c64afa82756d6f967d76afe422
                                              • Opcode Fuzzy Hash: f215993e15806a8416b03697819fd1ab63b6f4eb7182b2b9124145adb7a7f8d1
                                              • Instruction Fuzzy Hash: EDA12375E013649FEB11CB95C946B9EBFF5EF00798F1041A1EA00AB291DB749E80CBD5
                                              Function 36057370 Relevance: 1.7, APIs: 1, Instructions: 247COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0bb1286f40c9167d64d0734bbd0be5e288b7adcf632067b22496508d433e2bfa
                                              • Instruction ID: 78d05b3e65f306972a136b221ea65e84ae2d4db39d2d721382575528de172d64
                                              • Opcode Fuzzy Hash: 0bb1286f40c9167d64d0734bbd0be5e288b7adcf632067b22496508d433e2bfa
                                              • Instruction Fuzzy Hash: D0A16BB5A08341CFE310CF28C585A1ABFE6FF88354F2149ADE68597350EB70E945DB92
                                              Function 36057703 Relevance: 1.7, APIs: 1, Instructions: 179COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0527a94827adff60cb44eda73ce6b290895dbfed39fe65bfa7dc08779168c94a
                                              • Instruction ID: 338c521040241ca46bbd4048a45eec361f9c6b56a03d3d3050c14579f1b36c8c
                                              • Opcode Fuzzy Hash: 0527a94827adff60cb44eda73ce6b290895dbfed39fe65bfa7dc08779168c94a
                                              • Instruction Fuzzy Hash: 0361A374E04606AFEB08CF68C985AADFFF5FF44204F2581AAD519A7300DB30A951DBD1
                                              Function 3608F603 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 937b9fd994a285b7825a9253ac54a1e91cd59904353cb252490acfde573b421e
                                              • Instruction ID: 5461613afab8b285fddd2c8e5a3dc9dc5c5650f0be06590dfdcd60cbde2b0215
                                              • Opcode Fuzzy Hash: 937b9fd994a285b7825a9253ac54a1e91cd59904353cb252490acfde573b421e
                                              • Instruction Fuzzy Hash: 02417CB4D01288DFDB11DFAAC881AAEBFF5BF48384F5082AED558A7211C7309911DF60
                                              Function 3605262C Relevance: 1.6, APIs: 1, Instructions: 119timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID:
                                              • API String ID: 3446177414-0
                                              • Opcode ID: 9bbf50dd6f90c713bfe199e1c6dc21107aece4321fb68c88c0364df4b8ff8302
                                              • Instruction ID: 5e0187ad0ddcb2b68dcb92d22e61fa9bdb1c050442c5813006ac09da9c57c453
                                              • Opcode Fuzzy Hash: 9bbf50dd6f90c713bfe199e1c6dc21107aece4321fb68c88c0364df4b8ff8302
                                              • Instruction Fuzzy Hash: EF41E274915704CFD711DF64CA42A49BFF2FF45358F2281E9C6069B2A0EB309981CF86
                                              Function 360D07C3 Relevance: 1.6, APIs: 1, Instructions: 114timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID:
                                              • API String ID: 3446177414-0
                                              • Opcode ID: 89034a2b6e90c8f99d34d6cb0d6188c97599e35778cde8112f4b0436c797aa99
                                              • Instruction ID: d68613e7aa7b2710ce5d307ce9d0ead3a8bff9b34499676340012caf9bcec1b8
                                              • Opcode Fuzzy Hash: 89034a2b6e90c8f99d34d6cb0d6188c97599e35778cde8112f4b0436c797aa99
                                              • Instruction Fuzzy Hash: 11418CB1908300AFD360CF25C846B9BBFE9FF88264F104A6AF598D7251D770D915CB92
                                              Function 3604B480 Relevance: 1.6, APIs: 1, Instructions: 100timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID:
                                              • API String ID: 3446177414-0
                                              • Opcode ID: c62328c7c860bc7e540cebc19062c6bb4d6d4c9e3467a6bbc7d942dc7f54e7df
                                              • Instruction ID: 32a8f3f5b03ea585d97fa4fe327370caae28e597e44defe1831f4d7faafdae9a
                                              • Opcode Fuzzy Hash: c62328c7c860bc7e540cebc19062c6bb4d6d4c9e3467a6bbc7d942dc7f54e7df
                                              • Instruction Fuzzy Hash: 1F31F172900304AFD722EF28C941A5ABBB5EF853A4F5046B9ED445B291DB31ED42CFD0
                                              Function 360557C0 Relevance: 1.6, APIs: 1, Instructions: 92timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID:
                                              • API String ID: 3446177414-0
                                              • Opcode ID: b0183ab04a5ea3b4c347b7ccc90a8b43430976e7a03166b2ca0907b52f678003
                                              • Instruction ID: 817997e57903479b2035ea9e1d0f8cb6e937210de59c8703dcb41f30964d71b8
                                              • Opcode Fuzzy Hash: b0183ab04a5ea3b4c347b7ccc90a8b43430976e7a03166b2ca0907b52f678003
                                              • Instruction Fuzzy Hash: 3E31F435B29A05FFEB068B64DE41A59BFA6FF84344F109095E94187B50CB70E830CBC1
                                              Function 36053616 Relevance: 1.6, APIs: 1, Instructions: 84timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID:
                                              • API String ID: 3446177414-0
                                              • Opcode ID: 7ba2ca39bb99b40e5142e3d7dd6bf2bba052899752295bbf756d2ef09b453fc0
                                              • Instruction ID: a94f2780e64ca8299d5a07c68aeeb96c7d9d424cba42c8c9c2caccff700c8cc2
                                              • Opcode Fuzzy Hash: 7ba2ca39bb99b40e5142e3d7dd6bf2bba052899752295bbf756d2ef09b453fc0
                                              • Instruction Fuzzy Hash: 052156365193509FD7269F25CA49B1ABFF0FF80B28F5244DDEA010B600E674E844CBC2
                                              Function 360DA4B0 Relevance: 1.5, APIs: 1, Instructions: 40timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID:
                                              • API String ID: 3446177414-0
                                              • Opcode ID: 14df3562f446af4f1545267c8f40ac056ef07b222623f63b184a1429db3a7f88
                                              • Instruction ID: 6efc6c986b043ab08964cc00158147d7a24fa1c07b99e92c1f36ed8b944593c3
                                              • Opcode Fuzzy Hash: 14df3562f446af4f1545267c8f40ac056ef07b222623f63b184a1429db3a7f88
                                              • Instruction Fuzzy Hash: 4E019736510219ABCF028F88CC41ECE3FA6FB4C7A4F068251FE1866224C636D971EB81
                                              Function 360492FF Relevance: 1.5, APIs: 1, Instructions: 35timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID:
                                              • API String ID: 3446177414-0
                                              • Opcode ID: 51b8e34c87aa39213c62327f4d8971c063030a2d9b600dd639c6480f390a70d3
                                              • Instruction ID: 080231261043c5dd55c5b6bae7eaeceb80af85c67b76c67e5c8e83394ce9283a
                                              • Opcode Fuzzy Hash: 51b8e34c87aa39213c62327f4d8971c063030a2d9b600dd639c6480f390a70d3
                                              • Instruction Fuzzy Hash: E7F0F032104244ABD732AB19CD05F8ABBFDEF85B20F1805A8B58693090C6A0B905CB50
                                              Function 360D6420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID: 0-3916222277
                                              • Opcode ID: 809a3dc94758fbacf542c34b9d6537c85f5d8270913264d9008ac618dc49ad21
                                              • Instruction ID: 7ad9fb67236e6587fc7d207daab6dde98d851efc594ea32f9fc67ec784b68391
                                              • Opcode Fuzzy Hash: 809a3dc94758fbacf542c34b9d6537c85f5d8270913264d9008ac618dc49ad21
                                              • Instruction Fuzzy Hash: 859194B1A10319AFEB21DF95CD86FAE7BB8EF08750F1001A5F600AB190D775AD04CBA5
                                              Function 3608A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: GlobalTags
                                              • API String ID: 0-1106856819
                                              • Opcode ID: c2b5d691406c1edd284ca69abc3a21b255bd9ef9c5255b4b4ce40c8f618eedfd
                                              • Instruction ID: f4a8c4450a820a902f2c4947c0328ed561ed5e3d9de7300db49651b0ec63540a
                                              • Opcode Fuzzy Hash: c2b5d691406c1edd284ca69abc3a21b255bd9ef9c5255b4b4ce40c8f618eedfd
                                              • Instruction Fuzzy Hash: 667191B9E10319CFEB24CF99C592ADDBFF1BF48744F2086AAE405AB240DB758851CB50
                                              Function 3605973A Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: @
                                              • API String ID: 0-2766056989
                                              • Opcode ID: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                                              • Instruction ID: 9cb8a4fd93581ed9b71f90f928808ff51571eb29dc1b19e9e3cf2afcf39eef93
                                              • Opcode Fuzzy Hash: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                                              • Instruction Fuzzy Hash: 03619B75D05258ABEF11CF96C942BEEBFF4EF40714F1141A9E910A7290D7B48A40CBA1
                                              Function 360DF7AF Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: @
                                              • API String ID: 0-2766056989
                                              • Opcode ID: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
                                              • Instruction ID: 21df99a5dd40e5d3f4ea6e2096bc97ac9eb2c3b0305e7e5265c1df8bc6856010
                                              • Opcode Fuzzy Hash: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
                                              • Instruction Fuzzy Hash: D851FF72914305AFE7118F56CD52F5BBBE8FB84794F004AA9B980972A0D7B0DD04CB92
                                              Function 3606E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: EXT-
                                              • API String ID: 0-1948896318
                                              • Opcode ID: e0da92288c4acfd4afd8f1e5bad7541cba46410b3f803d43153acf877661096c
                                              • Instruction ID: fb1ce6c577be6190fc75bb7d7f35c04b1ffd998ecd18c98f2453249b92dc71e2
                                              • Opcode Fuzzy Hash: e0da92288c4acfd4afd8f1e5bad7541cba46410b3f803d43153acf877661096c
                                              • Instruction Fuzzy Hash: 1D4191B29183119BE710CA76C942B5FBFE8EF88758F4009A9F584D7181EA74CA44C797
                                              Function 3610B256 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: PreferredUILanguages
                                              • API String ID: 0-1884656846
                                              • Opcode ID: 07753b2cfbacd456ba85748ba78baed4d8981fd9e0e9e35930095fc49b942ccc
                                              • Instruction ID: dcda0c2367cc8e8d9f5a7f45b07eb5c8ec5b80f09ad3e0cd336d5227aa84b4df
                                              • Opcode Fuzzy Hash: 07753b2cfbacd456ba85748ba78baed4d8981fd9e0e9e35930095fc49b942ccc
                                              • Instruction Fuzzy Hash: C341D276D00219ABDF12DA96C840AEF77B9EF48758F210566E911EB250DB35DE40CBA0
                                              Function 360CC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: BinaryHash
                                              • API String ID: 0-2202222882
                                              • Opcode ID: 38269fc916bae629a6bb29a3ab53d095cb6d8a2bc631c0448a45ac89b9a3bfdd
                                              • Instruction ID: ee31541134ef21a54fedd2f37843150670f5f4ee93865d81c6a25436ea147fb3
                                              • Opcode Fuzzy Hash: 38269fc916bae629a6bb29a3ab53d095cb6d8a2bc631c0448a45ac89b9a3bfdd
                                              • Instruction Fuzzy Hash: 4B4141B1D0122CAEDB21CB60CD86FDE7B7DEB45714F0045E5A608AB150DB709E89CBA5
                                              Function 360D97A9 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: verifier.dll
                                              • API String ID: 0-3265496382
                                              • Opcode ID: 87c0434e2ec98fb59927424318b015d6b597de5f589593de117adffa4cd8ad88
                                              • Instruction ID: dc1c507f9bc8eb2e21adee3e3e8d65c233b464cec1a20009ee78e5029f318423
                                              • Opcode Fuzzy Hash: 87c0434e2ec98fb59927424318b015d6b597de5f589593de117adffa4cd8ad88
                                              • Instruction Fuzzy Hash: 8D31E5B5A003019FD7158F69D852B267FF6EB49B54FA081BAE684DF380EA71CC81C790
                                              Function 36087505 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: #
                                              • API String ID: 0-1885708031
                                              • Opcode ID: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
                                              • Instruction ID: 732f990f0826e1cd627bcbd1064a68992d362a8d00eb8c2fc2f1f8d8ef8021e5
                                              • Opcode Fuzzy Hash: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
                                              • Instruction Fuzzy Hash: 1541D479900725DBEB15CF44C896BBEBBB5FF44355F10409AE9019B204DB70D981CBE2
                                              Function 360836EF Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Flst
                                              • API String ID: 0-2374792617
                                              • Opcode ID: 68fa4c474cf66b0ae8f861b4efe0f1df8f114e1a43fd4be0240a815c9e713829
                                              • Instruction ID: c00b85aaf434435787a336a60a99a6be6dc954d92b33675024838f6299a0665d
                                              • Opcode Fuzzy Hash: 68fa4c474cf66b0ae8f861b4efe0f1df8f114e1a43fd4be0240a815c9e713829
                                              • Instruction Fuzzy Hash: 8541CBB4605301DFE318CFA9C581A0AFFE4EB89714F5085AEE4488F251EB31D882CB96
                                              Function 36049730 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID: L4QwL4Qw
                                              • API String ID: 3446177414-1417497668
                                              • Opcode ID: a3aa97d7bef506e49a6cc7559f3281a2420682129a521076c0e76652ca20a938
                                              • Instruction ID: 81a733e93bdf7c7ef998e0297a1969df62a46c68063fd873895722708f9461f1
                                              • Opcode Fuzzy Hash: a3aa97d7bef506e49a6cc7559f3281a2420682129a521076c0e76652ca20a938
                                              • Instruction Fuzzy Hash: 1521BD76908714ABE333AF5AC802B0A7FB5FF84B98F1104B9A6959B240DB31D801CFD1
                                              Function 360A739A Relevance: .7, Instructions: 705COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 808478a72e1db55dba9bd08d486ebedbec654d991127f5a7e3b38f8eb2099c27
                                              • Instruction ID: b4921ba5f785d69af43da7ba616ffcd32706c01e7c0c7dfca6f73511f58530f8
                                              • Opcode Fuzzy Hash: 808478a72e1db55dba9bd08d486ebedbec654d991127f5a7e3b38f8eb2099c27
                                              • Instruction Fuzzy Hash: 6A429179E007168FEB04CF99C8556AEBBF2FF88394B64C599D551AB340DB34E842CB90
                                              Function 3607B2C0 Relevance: .6, Instructions: 629COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 85a2eaee45df2c1330bb2dc1d30d80b74a4aad17363c82d23c147921664b0a54
                                              • Instruction ID: 0437ea881aba7cee560741490b820e5fcf47010c881fa2d7709cfc5bc0a44f2a
                                              • Opcode Fuzzy Hash: 85a2eaee45df2c1330bb2dc1d30d80b74a4aad17363c82d23c147921664b0a54
                                              • Instruction Fuzzy Hash: F232DFB5E00219DBDF14CFA9C882BAEBFB1FF44744F1400A9E805AB390E7359951CB95
                                              Function 361116CC Relevance: .6, Instructions: 571COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bfc9f532da739463658a2f55c61b38aefffc79ac12d52efd71edd492ec141700
                                              • Instruction ID: cff9d8a9bded3ab10b6cb638123790a520d72c81220355887f38be4ff7df5a72
                                              • Opcode Fuzzy Hash: bfc9f532da739463658a2f55c61b38aefffc79ac12d52efd71edd492ec141700
                                              • Instruction Fuzzy Hash: 0D22A079E002168FDB49CF59C491AAEFBB2FF89354F24857DD8559B340EB30A942CB90
                                              Function 36048397 Relevance: .4, Instructions: 380COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e9760976127e158d5d89e198497be65bf1fd57843d93291edba1c1fa47df1a54
                                              • Instruction ID: 342f4016bf75b90a16da3343bef5371d52bb5ab720b2bbaa8f2f9a201aa32daa
                                              • Opcode Fuzzy Hash: e9760976127e158d5d89e198497be65bf1fd57843d93291edba1c1fa47df1a54
                                              • Instruction Fuzzy Hash: 61D10371A103169BEB15DF65C8D2AAE7BF5BF44388F004AB9E911DB280EB34D944CB90
                                              Function 3605D7E0 Relevance: .3, Instructions: 342COMMONLIBRARYCODE
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: eddd9e1c7c330d014699e01bfa066aa67d2650cd0d9c8ceff7b64182aea45bd9
                                              • Instruction ID: 51f658b054727589d10de7df2de6c1b387dec0af13769b720b7bc13dd43915a9
                                              • Opcode Fuzzy Hash: eddd9e1c7c330d014699e01bfa066aa67d2650cd0d9c8ceff7b64182aea45bd9
                                              • Instruction Fuzzy Hash: 04C11274E053169BEB04CF59C842BAEBBF6EF44354F15C6A9DA20AB284D770E941CB90
                                              Function 360D8243 Relevance: .3, Instructions: 322COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                              • Instruction ID: 602511dd14fbd04fc193f4c201a374d2c0d637e28bdd920794da578aefa78623
                                              • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                              • Instruction Fuzzy Hash: 02B1B278E007059FDB14CF95C982AABBFF9FF84358F504599A902972A4DA34ED05CB50
                                              Function 3606F460 Relevance: .3, Instructions: 321COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: dfe8ebb4608372686c65d16b231e9b543160a40fe5e288f8e8fc9ffaa4e2a156
                                              • Instruction ID: bfed280527360f082254e2b95169cc85855bd9c45983a2901d287a728372bd26
                                              • Opcode Fuzzy Hash: dfe8ebb4608372686c65d16b231e9b543160a40fe5e288f8e8fc9ffaa4e2a156
                                              • Instruction Fuzzy Hash: E7C11F75E103218BEB04CF1AC592B697BE3FB4474CF1581E9E941AB3A1DB708991CB90
                                              Function 36060535 Relevance: .3, Instructions: 300COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                              • Instruction ID: 1757ee331f5fa8cd008379da59189b934e7e4fb4545c116005c384fe29b713e2
                                              • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                              • Instruction Fuzzy Hash: C3B13771A00745AFEB11CBA6CA52BAFBFF6EF84308F1441D4E55297281DB30DA81CB91
                                              Function 3604C427 Relevance: .3, Instructions: 280COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4a0b289a2ee90284031317d9df6bee35b03ff7ad6493270defeca380d612a6c5
                                              • Instruction ID: 78e7dae33e6abe8cb5bfc8d973cc862008725d2fab9314d106259e8db5bd811a
                                              • Opcode Fuzzy Hash: 4a0b289a2ee90284031317d9df6bee35b03ff7ad6493270defeca380d612a6c5
                                              • Instruction Fuzzy Hash: D5B1AD74A002658BEB35DF65C981BADB7F1EF45344F4085EAD40AAB280EB709DC6CF21
                                              Function 36124500 Relevance: .3, Instructions: 275COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a5c4031c3bed33b4f11bbef6df88406b5deae388b8dfacb7857462ed17fbc743
                                              • Instruction ID: 3f95e3626c94a985656af8f2bdbb432124ced5f166b9b08d2c0a20735cbc6003
                                              • Opcode Fuzzy Hash: a5c4031c3bed33b4f11bbef6df88406b5deae388b8dfacb7857462ed17fbc743
                                              • Instruction Fuzzy Hash: E0A1CD72A247519FE302CF64CE80B5ABBEAFF48748F510968E5859B250D734EC11DBE2
                                              Function 36059486 Relevance: .3, Instructions: 259COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4ba912aa4e4dd2445c570f4659bd1f31292914cc058304d021ff0c7bb7041c4c
                                              • Instruction ID: ff893bea92efa49fd3816d9b0e680efb7d66697a866551034626afa523a66852
                                              • Opcode Fuzzy Hash: 4ba912aa4e4dd2445c570f4659bd1f31292914cc058304d021ff0c7bb7041c4c
                                              • Instruction Fuzzy Hash: 25B1A0B8905341CFEB05CF29C482B997FF1FB04359F6245E9DA619B291DB31D892CBA0
                                              Function 3610B52F Relevance: .2, Instructions: 222COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
                                              • Instruction ID: cbbd63023b69ac4bbcfb7026464bb0651188c7d6557b6e8c695d238c0f1a1c5c
                                              • Opcode Fuzzy Hash: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
                                              • Instruction Fuzzy Hash: 8571A279E0021A9BDF10CF65C980ABFB7F6AF44798F55455AE800AB281E736D981CF90
                                              Function 3608E284 Relevance: .2, Instructions: 212COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7e4cd10035026ac6cbf518bf3e4236a8fff9b92afd6fc49cabf6d199ac55aa7e
                                              • Instruction ID: 62918d0fd98e7532dda1ab99eef234fbe259f4993aa4f5a33b2d608501d6fde7
                                              • Opcode Fuzzy Hash: 7e4cd10035026ac6cbf518bf3e4236a8fff9b92afd6fc49cabf6d199ac55aa7e
                                              • Instruction Fuzzy Hash: EC818E71A00709AFEB11CFA5C981ADEBBFAFF88354F204469E555A7250DB30AC45CBA1
                                              Function 3606C640 Relevance: .2, Instructions: 206COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ade1c61dbaa2e3714cdbbf2d3dfa2fc3146f8bf2d1cc868cb6e472d3545c7e82
                                              • Instruction ID: 9d6521cfedb19242b6c92f11aa1446be491ec9fca5d451dcb1c49fbb6018a6d9
                                              • Opcode Fuzzy Hash: ade1c61dbaa2e3714cdbbf2d3dfa2fc3146f8bf2d1cc868cb6e472d3545c7e82
                                              • Instruction Fuzzy Hash: 7971DEB9C002259BDB158F5AD8917AEBFF1FF49708F10819BE951AB360E7709851CBA0
                                              Function 3606260B Relevance: .2, Instructions: 201COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 234ce362acef398c2c11e3800e0d47398559ae329aa2f14ce8a137eb26455f4b
                                              • Instruction ID: 8ba80fc5153a41dda900e1fd8bb36fb985393287fc460b5c7051d85380ec29cb
                                              • Opcode Fuzzy Hash: 234ce362acef398c2c11e3800e0d47398559ae329aa2f14ce8a137eb26455f4b
                                              • Instruction Fuzzy Hash: C5710375A146418FE701CF29C881B2ABBE5FF84308F1485E9F898CB351DB38D886CB95
                                              Function 360E62A0 Relevance: .2, Instructions: 198COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0e142a70e7e56ce54fda99ea6b5202fc4a1489d35828ba9828838824368234b2
                                              • Instruction ID: 699507baaefd0571a46797301507cfcd8cf02e70f579a2ef6bcc2e46a93da91c
                                              • Opcode Fuzzy Hash: 0e142a70e7e56ce54fda99ea6b5202fc4a1489d35828ba9828838824368234b2
                                              • Instruction Fuzzy Hash: D17112B6620B20AFE7218F25DD52F4EBFF6EF40764F1044A9E1558B2A0DB71E854CB50
                                              Function 360D035C Relevance: .2, Instructions: 198COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                              • Instruction ID: 1aa71cb28ec73a85733c6522ee11eda2c7b09e9057532b24a7a361eb72096ad0
                                              • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                              • Instruction Fuzzy Hash: 7C716D71E00619AFCB04CFA5CA81EDEBFB9FF48344F1045A9E906A7250DB30EA01CB90
                                              Function 3611132D Relevance: .2, Instructions: 188COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 17a1c7efcdbf5a58c810190703cc9d4af24d04845be3256420f7942673c02754
                                              • Instruction ID: f43e9ca969efb212ee3ca98002bf3e1ca73345bbc2d437b4d58222dfbdd7cfc6
                                              • Opcode Fuzzy Hash: 17a1c7efcdbf5a58c810190703cc9d4af24d04845be3256420f7942673c02754
                                              • Instruction Fuzzy Hash: EA816B75A00205CFDB09CFA9C491AAEBBF1FF88304F1581A9D859EB345D734EA51CB90
                                              Function 361192A6 Relevance: .2, Instructions: 174COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e62cbbf1b0080dc7887f7c4d7dae4f1d9ce969ae1f9a13c48507d6b104a6fea3
                                              • Instruction ID: ca0a7a498251dabbab455eda0ef9595aec418cee886d8504e89a97166eb327c4
                                              • Opcode Fuzzy Hash: e62cbbf1b0080dc7887f7c4d7dae4f1d9ce969ae1f9a13c48507d6b104a6fea3
                                              • Instruction Fuzzy Hash: F96104756147518BE301CF75C990B5AB7E1BF80708F154C7CE8AA8B691DB35E806CB82
                                              Function 3608B570 Relevance: .2, Instructions: 161COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 133b88365fecf14bc9c291da89d8c9116746de16d055e971ea01ed028c8749d9
                                              • Instruction ID: 4275b64c7cee28fd3dadcbc4ce834445898965687f1fc31f7b2397d2bb5451d3
                                              • Opcode Fuzzy Hash: 133b88365fecf14bc9c291da89d8c9116746de16d055e971ea01ed028c8749d9
                                              • Instruction Fuzzy Hash: 5A51BFB15042009FE321DF65CE86F5E3FF9EB85764F1006ADEA619B291DB30A811C7A6
                                              Function 360CD5D0 Relevance: .2, Instructions: 161COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
                                              • Instruction ID: 2fe2ed11aa36209da6432bce51ced8f0e40c97ee23cf7cdaef5ea095f94ebd1e
                                              • Opcode Fuzzy Hash: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
                                              • Instruction Fuzzy Hash: 985128B66007129BDB009F61DC42A6F7FE5EF84284F4005A9F954CB2D0FB34C855D7A2
                                              Function 3604B2D3 Relevance: .2, Instructions: 161COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9d8af123dbe3a493700aa9a194db5ebe8e64b3bcf0fe32baf4c1c4f60d157cc1
                                              • Instruction ID: 22d47382ccb16160f079124be09b5b37f15a3de129a2f4350196968e4d6a67dd
                                              • Opcode Fuzzy Hash: 9d8af123dbe3a493700aa9a194db5ebe8e64b3bcf0fe32baf4c1c4f60d157cc1
                                              • Instruction Fuzzy Hash: A6412471640700ABE7279F2ACD42B1A7FF5EF457A4F2144B9E6199B250DB30D841CF90
                                              Function 360795DA Relevance: .2, Instructions: 160COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 663a663e613307da34c328290f5e3717e0bd1d558865d1d8597bdf2434e6afb4
                                              • Instruction ID: d5c53de5a949b659bcad58bbb2ec4f81ddd942f7aadd8f78836eba5c927cc226
                                              • Opcode Fuzzy Hash: 663a663e613307da34c328290f5e3717e0bd1d558865d1d8597bdf2434e6afb4
                                              • Instruction Fuzzy Hash: 2351B970900309ABEB218FA5CD82BDDBFF9EF01344F6085AAE5A4A7190DB718944EF55
                                              Function 36063740 Relevance: .2, Instructions: 159COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bc675d6c42ec1cf4fd745c961d750546d138988855c563910b5cb7ea029b1041
                                              • Instruction ID: f16715f9d9702dcd5743e728ccf69259dea48f84ab4e4d420a2a4872cc9da447
                                              • Opcode Fuzzy Hash: bc675d6c42ec1cf4fd745c961d750546d138988855c563910b5cb7ea029b1041
                                              • Instruction Fuzzy Hash: 4C51DF79E10726DFD715CF6AC8826A9BBB0FF04718B1092A9E844DB350E734E991CBD0
                                              Function 3608E443 Relevance: .2, Instructions: 158COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 86c8d6b9adbb23084a69d14ca80f09ce6bd1a8d784359a03473f18130f0ba24d
                                              • Instruction ID: 0ee681d2e69133776bcda6cea5f13f388a71281ec2f18a8913bea5fd3b351b80
                                              • Opcode Fuzzy Hash: 86c8d6b9adbb23084a69d14ca80f09ce6bd1a8d784359a03473f18130f0ba24d
                                              • Instruction Fuzzy Hash: A551A971600A14DFE721DF65CA82E9ABBF9FF44794F4008A9E54697260DB30ED40CBA2
                                              Function 360745B1 Relevance: .2, Instructions: 156COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                              • Instruction ID: 3a50d4bad6b19a4bbf3a1ca738f5c48c1b3da47eb9469726e50efeb51015d3fe
                                              • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                              • Instruction Fuzzy Hash: 45517D75E00219ABDF05CF95C842BEEBFB5EF49754F1080A9E940AB240DB74DE44CBA9
                                              Function 3611D26B Relevance: .2, Instructions: 153COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
                                              • Instruction ID: 3a90858906e11edfd1955fba19d9170a6e02356bd8d857b8c4a5b6387aae8c6d
                                              • Opcode Fuzzy Hash: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
                                              • Instruction Fuzzy Hash: 9F515DB6A183419FD700CF69C880B5ABBE5FFC8344F048A2DF99497681D734E946CB92
                                              Function 3608F71F Relevance: .1, Instructions: 143COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9933854ab07b5fe2d5c46a86074f17b827ec602631d51e55843975cf25752e7d
                                              • Instruction ID: dffa5f0af56db8061ae6f53d5f52dfd95f389cdd1cc30a03a3d464650f6bb2f6
                                              • Opcode Fuzzy Hash: 9933854ab07b5fe2d5c46a86074f17b827ec602631d51e55843975cf25752e7d
                                              • Instruction Fuzzy Hash: 1F4187B6D00229ABEB15DBA5CD42AAFBFBCEF04794F5141E5A910E7240E634CD40CBE1
                                              Function 3608A430 Relevance: .1, Instructions: 139COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5f3df40e24169b11bcb09f05b82a5feaadc58a1e0e1bb58afc5b8e4019e26acd
                                              • Instruction ID: 253524b350e5bc1784dfba826192aa356cbace0e0e2f98a8d80a22475fe086c0
                                              • Opcode Fuzzy Hash: 5f3df40e24169b11bcb09f05b82a5feaadc58a1e0e1bb58afc5b8e4019e26acd
                                              • Instruction Fuzzy Hash: 9E41E175A047119BEB26DF75C982F5E3FB6AB45348F0008F8EA01AB241DFB19861CB91
                                              Function 361235D7 Relevance: .1, Instructions: 139COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
                                              • Instruction ID: 4c4e9d9a958b493cc2561330a1814f5eb09a7d662bfaab27d80fb661755ae6d1
                                              • Opcode Fuzzy Hash: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
                                              • Instruction Fuzzy Hash: 0B518EB5600606EFDB05CF54C981A56BBF9FF45348F1580BAE908DF222E771EA85CB90
                                              Function 3605D534 Relevance: .1, Instructions: 138COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 92b8722352530a26ca38f7a5be2b4da7abce6ae6366d403929fc661263bdaf4f
                                              • Instruction ID: fe4ab1def02da067622e509fdac857c610cc1ac7f9822c9f8e7a02350eb73d15
                                              • Opcode Fuzzy Hash: 92b8722352530a26ca38f7a5be2b4da7abce6ae6366d403929fc661263bdaf4f
                                              • Instruction Fuzzy Hash: 76512175A48791CFEB15CB29C842B1A7BE1EB40794F5681E6F9108B3D0DB74DD80CBA2
                                              Function 36092750 Relevance: .1, Instructions: 137COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                              • Instruction ID: f636d84469e017f2258c14b67ceeeb3bfb562b908fb8f890cc318aa88a25dda7
                                              • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                              • Instruction Fuzzy Hash: E7512879E00615CFDB04CF59C581AADFBF2FF84714F2481A9D815AB250DB70AE81CB90
                                              Function 360CD1C0 Relevance: .1, Instructions: 135COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
                                              • Instruction ID: 81d269c654cb06f54368bc38e3877444416bc1ffb7c35f7248a03be362a6ed57
                                              • Opcode Fuzzy Hash: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
                                              • Instruction Fuzzy Hash: 77511AB5E00205DFDB08CF69C49269DBBF1FB58314B5085AED8259B785D734E980CF90
                                              Function 3611866E Relevance: .1, Instructions: 129COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                              • Instruction ID: a726e2ab926d479f581a0c1e3c2cac45ce972e29289a84f95a972262a8c7211c
                                              • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                              • Instruction Fuzzy Hash: BC41C675F10249ABDB44CF96CC91AAFBBBAAF88340F548079E80097341DBB8DD01C7A0
                                              Function 3607A470 Relevance: .1, Instructions: 127COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e128bd70dfafd72ef2496f9edad3c6bced372c07425f2f0ae2a8ab12d86cccaa
                                              • Instruction ID: 50bd9334f86af2a0d771535fb64c9ffebefd956a1ab318ebd8cc175dd24a5349
                                              • Opcode Fuzzy Hash: e128bd70dfafd72ef2496f9edad3c6bced372c07425f2f0ae2a8ab12d86cccaa
                                              • Instruction Fuzzy Hash: AF41C8729023148FEB05CF68C98279D7BB1EF183A8F5045E5D410BB280CB76D951DBA8
                                              Function 3607D6E0 Relevance: .1, Instructions: 126COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6fea26073bb15adaa8e75fa1d492ed6611882154f3e8e6bcd8686bbb575a436d
                                              • Instruction ID: 8d253b82c808c8409ce244f9c65d65e714a15380180a9134e7780a9e4307fd26
                                              • Opcode Fuzzy Hash: 6fea26073bb15adaa8e75fa1d492ed6611882154f3e8e6bcd8686bbb575a436d
                                              • Instruction Fuzzy Hash: F94126B15042409FD321DF65CD82E5ABFF6EF84760F0085ADF96497290CB30E812CBA6
                                              Function 36080710 Relevance: .1, Instructions: 121COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                              • Instruction ID: 256bd29398792d685c228187d03a0faf7628af15d943211d962790a0f0cb0f1e
                                              • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                              • Instruction Fuzzy Hash: 77414975A00705EFDB24CF99CA81A9ABBF4FF08704B1049ADE196D7250D730EA44CF94
                                              Function 360D05A7 Relevance: .1, Instructions: 111COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9ecd172b58ce6e9bbac4051f2c46e2a4b1fba59d0a6e15727548d8111ba4999b
                                              • Instruction ID: 2dee07b3257e980ad6b241e795fe4921e244c89b7dcb1df610ef345ca8f357b4
                                              • Opcode Fuzzy Hash: 9ecd172b58ce6e9bbac4051f2c46e2a4b1fba59d0a6e15727548d8111ba4999b
                                              • Instruction Fuzzy Hash: 8741C376A047419FC310CF69CA41AAEBBE5FFC8740F004A59F89997690E730E954C7A6
                                              Function 360602E1 Relevance: .1, Instructions: 106COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                              • Instruction ID: 8656cec44ed3308ce853cdc35c13b8376082976bedaa85ec922d7d42ab0eef4c
                                              • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                              • Instruction Fuzzy Hash: C0314331A04354AFEB118B6ACE41F8EBFE8EF04358F0485E5E856D7241C774C984CBA5
                                              Function 36079274 Relevance: .1, Instructions: 105COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c0f76479fe71fb30c1f1d19e0c67139bf32e66977406af14acfe88ee5ef874fb
                                              • Instruction ID: 273cd2464d0df8edfc9066582d57bc2c51be8e6a61fa5404b70ed4bab2765658
                                              • Opcode Fuzzy Hash: c0f76479fe71fb30c1f1d19e0c67139bf32e66977406af14acfe88ee5ef874fb
                                              • Instruction Fuzzy Hash: C531A2B5A00728AFEB218B65CC41B9E7BB9EF85314F5001D9A58CA7280DB309D84CF95
                                              Function 36054260 Relevance: .1, Instructions: 102COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bedbfb41ee47c26ffe0010379751bbf0756bf52119da06f1ea37a35b3980bc8f
                                              • Instruction ID: 3efe093834ecb8c03015acde8c5ece7ae427d2e1e2c255291abb4da82c02965c
                                              • Opcode Fuzzy Hash: bedbfb41ee47c26ffe0010379751bbf0756bf52119da06f1ea37a35b3980bc8f
                                              • Instruction Fuzzy Hash: B241BF75504744DFDB22CF66CA82FCA7FE5EF49354F0184A9E65A8B260CB74E844CBA0
                                              Function 360507AF Relevance: .1, Instructions: 95COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bcf252deab299deb47e645823d0d6a4406c3ed22cb61023870f2ba194b129ee7
                                              • Instruction ID: 5e7bf04eae7d395a7dd3f7ea02054ccf6464d205f930654c01dcd00723180725
                                              • Opcode Fuzzy Hash: bcf252deab299deb47e645823d0d6a4406c3ed22cb61023870f2ba194b129ee7
                                              • Instruction Fuzzy Hash: D731D532A08711EBD712DE25CE81D6F7FA5EF84254F1244A9FD9697210DA70DC1187D3
                                              Function 36058550 Relevance: .1, Instructions: 94COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 26bfe53ee46b9eaa1b4749234968e13b5aa91f77fde17de8c4b252e295745cfb
                                              • Instruction ID: c83670188af54c677ad557bd231fad7a7d4a4599e19db15f3945e256b4baeeb7
                                              • Opcode Fuzzy Hash: 26bfe53ee46b9eaa1b4749234968e13b5aa91f77fde17de8c4b252e295745cfb
                                              • Instruction Fuzzy Hash: 8B319CB5A193118FE710CF1AC881B2ABBE4FB88700F4189ADF9859B251D770E844CBD6
                                              Function 3604D6AA Relevance: .1, Instructions: 93COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
                                              • Instruction ID: 3f71b07ffe44c71a4dbe35ff9b6581f81157f7fe7fbe8d835463ce0bd595042e
                                              • Opcode Fuzzy Hash: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
                                              • Instruction Fuzzy Hash: 3F31D879A05204AFE723DE55C982B5A7BE9DB84794F1644B8A8249B290E670DD40CF90
                                              Function 3608A6C7 Relevance: .1, Instructions: 92COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                              • Instruction ID: 01017b6de5ff0b918e3083fd743ecd7eff3f8fd9312804d9c3a636aa8fa508dc
                                              • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                              • Instruction Fuzzy Hash: 3F314FB6B00B01AFE764CF6ACD42B4BBBF8BB08790F54096DA559D3A50E670E800DB54
                                              Function 360592C5 Relevance: .1, Instructions: 89COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
                                              • Instruction ID: 92b2753aa3b4b55a29d65522a05dd5ae7414ef6d7f0cf22ab5fb81a705e82ffe
                                              • Opcode Fuzzy Hash: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
                                              • Instruction Fuzzy Hash: 0C31A9B16083599FCB01CF29D94295A7BE9EF89394F0105AAF984973A0DA30DC00CBA6
                                              Function 3607438F Relevance: .1, Instructions: 89COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0d4165f4c7d0e42d24a069d37cfdd951b76e725d4b3315d8df5adf4996cabfca
                                              • Instruction ID: f5e480992932a0efef9b09a2445e93df202ca3ea92c741a4785e2cdf378cfc32
                                              • Opcode Fuzzy Hash: 0d4165f4c7d0e42d24a069d37cfdd951b76e725d4b3315d8df5adf4996cabfca
                                              • Instruction Fuzzy Hash: D631B131A003159FD710DFAAC982AAEBBFABF84348F0085A9D185D7250DB30DD45EBA5
                                              Function 3604E420 Relevance: .1, Instructions: 88COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 416d1e4a9dff956d87903f045a58eecfd20d2ec24d431ce3b3338db5d9fc7ba0
                                              • Instruction ID: 0c7a5daaabdc3434d3a6c73fd157e5a061f2dd24625f09fd90237303ae2153ca
                                              • Opcode Fuzzy Hash: 416d1e4a9dff956d87903f045a58eecfd20d2ec24d431ce3b3338db5d9fc7ba0
                                              • Instruction Fuzzy Hash: 1431C235A0122C9BEB32EF25CD42FDE7BB9EB45794F4100E1E645A7290D6749E80CFA1
                                              Function 360844B0 Relevance: .1, Instructions: 87COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6eeb4140198acf03c927da3eadec263e9965059423f9a3294967bc7b0ae02645
                                              • Instruction ID: cd02e55cac8b8049c7b5e3fc53e20860da80675f9b7b4566daf88543792ac037
                                              • Opcode Fuzzy Hash: 6eeb4140198acf03c927da3eadec263e9965059423f9a3294967bc7b0ae02645
                                              • Instruction Fuzzy Hash: 4621DF72A047159BD711CF59C982B5F7BE4FF88764F0149A9F844AB242DB30E900CBA2
                                              Function 36084588 Relevance: .1, Instructions: 87COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                              • Instruction ID: f69cde9d8ee19e71bfdacda1b3c95ebd5fcae9d54bd4ae7affff3542bc27646e
                                              • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                              • Instruction Fuzzy Hash: 6B21A135A00708EFCB11CF9AC981A8EBBF5FF48314F1180A9ED259F241D671DA15CBA1
                                              Function 360CE609 Relevance: .1, Instructions: 86COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2cde373c5dc7ad2ea646e18e842ea1f874918179e9507768de2620740f82566b
                                              • Instruction ID: edec747eac2407884fedc2575c7dc76fa4b3ab9b39d027721f962a3f17d4d134
                                              • Opcode Fuzzy Hash: 2cde373c5dc7ad2ea646e18e842ea1f874918179e9507768de2620740f82566b
                                              • Instruction Fuzzy Hash: 0D31C2B9A20245DFDB04CF19C88199E7BF5FF84388B2144A9F9099F390E730EA50CB90
                                              Function 3604E388 Relevance: .1, Instructions: 86COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                              • Instruction ID: 42c51439c46357c93beb1dfcbcbb7159e5bdd879720d7b93654faed39bdc9d65
                                              • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                              • Instruction Fuzzy Hash: 3B318B31600704AFE722DFA9C985F6ABBF9EF84398F1045A9E5518B290E730EE41CB51
                                              Function 3608D530 Relevance: .1, Instructions: 85COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 959ac04f278290081a77cf4b5a91084f8778677277c1d759df988cf5de794de4
                                              • Instruction ID: d7e0250004b6fbaeeeb8d1a72215236adcfe21f62de32e09b07f30e4b8c77144
                                              • Opcode Fuzzy Hash: 959ac04f278290081a77cf4b5a91084f8778677277c1d759df988cf5de794de4
                                              • Instruction Fuzzy Hash: A121F3B29143549BD711DF65CE42B4B7FF9EB44658F0009A6FA14AB190EA34DC20C7E6
                                              Function 360D06F1 Relevance: .1, Instructions: 79COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 62ed4e86559d613933ed43901940987522c4d3e6c5eb3f9f5c3c33d3f74eb777
                                              • Instruction ID: 80a888bd02b15c0d5aeec338769cf2858afba93d59878bf253a47028630d0a74
                                              • Opcode Fuzzy Hash: 62ed4e86559d613933ed43901940987522c4d3e6c5eb3f9f5c3c33d3f74eb777
                                              • Instruction Fuzzy Hash: 7E21A075D00229ABCF15CF59C982ABEBBF4FF48744B5000A9E545AB250D738AD41CBA1
                                              Function 3607F32A Relevance: .1, Instructions: 79COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
                                              • Instruction ID: c309aae501995fa488c3d0e9a171ccd4e14d944d5c7e4c46d672ce66ec400f8d
                                              • Opcode Fuzzy Hash: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
                                              • Instruction Fuzzy Hash: 8121A472200304EFD719CF25C942B6ABBE9EF85365F1141ADE11A8B390EB70EC41CB99
                                              Function 36089660 Relevance: .1, Instructions: 78COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7e2e32fee99f8506d8803b30b81ceeb98177785af37b14abb470347c2607d1c5
                                              • Instruction ID: 27c3c77f5fe9e8582a41b73dc11f01ebb5d0d84ef7af2c5083e54b860a8868ee
                                              • Opcode Fuzzy Hash: 7e2e32fee99f8506d8803b30b81ceeb98177785af37b14abb470347c2607d1c5
                                              • Instruction Fuzzy Hash: A5213A34524711CFF726EA29CD12B0F3FF2AB40268F200699E5815B5A0DA31A871DBD6
                                              Function 360D0283 Relevance: .1, Instructions: 74COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3017a0878efdec13ee324b1b2093b050fb2ddb9f52d24fead7d662314bb97ff0
                                              • Instruction ID: 4eeb884ff604a268dfef5b1827de8a08143f57807965cf153fb3ff8032cdedfb
                                              • Opcode Fuzzy Hash: 3017a0878efdec13ee324b1b2093b050fb2ddb9f52d24fead7d662314bb97ff0
                                              • Instruction Fuzzy Hash: F021CFB29053459BD701DF6ACE45F6BBFECEF80298F040A96BD89C7251D730D948C6A2
                                              Function 3608A30B Relevance: .1, Instructions: 70COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9520a8d121db7908f7cb8d11117fc4001ad870bc2c1cba2830828b356a14b238
                                              • Instruction ID: e1dffea9525166407fff9b82f1ba97b95b1cbcb1bb6c66f82ec62da28abc3f25
                                              • Opcode Fuzzy Hash: 9520a8d121db7908f7cb8d11117fc4001ad870bc2c1cba2830828b356a14b238
                                              • Instruction Fuzzy Hash: 7121CC396107109FC729CF29CD02B4A7BF5EF08758F2484A8A409DBB21E331E852CB94
                                              Function 3604B765 Relevance: .1, Instructions: 69COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2c076914bca1007ebff4042a16c30387e49fca481e8ffed4ac15423a064eeac0
                                              • Instruction ID: ca6395a4ef2b16f59f029cc75675805d5c12f856278e6ab9971a72cce021cbfe
                                              • Opcode Fuzzy Hash: 2c076914bca1007ebff4042a16c30387e49fca481e8ffed4ac15423a064eeac0
                                              • Instruction Fuzzy Hash: E6215772111640DFC726EF69CE42B5ABBF6FB08718F1449BCE106976A1C734A811CF89
                                              Function 360715A9 Relevance: .1, Instructions: 69COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
                                              • Instruction ID: a15b1b25f0393187802f40c26bc1812d3a22dc0feead850952406145c2af733e
                                              • Opcode Fuzzy Hash: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
                                              • Instruction Fuzzy Hash: A0212371A01785DFF7068B66D946B067FE8EF80398F1900E1ED049B292EB74CD40C695
                                              Function 36058770 Relevance: .1, Instructions: 68COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ffb7e47fdac90dc9a8bdcfed16af94b388b1b611a736df81f02a88f6ed771feb
                                              • Instruction ID: 47573c1b5c9ea07527d1550d4749e30f8a8db5fe09474fdd88d669ff05065a33
                                              • Opcode Fuzzy Hash: ffb7e47fdac90dc9a8bdcfed16af94b388b1b611a736df81f02a88f6ed771feb
                                              • Instruction Fuzzy Hash: BB110875B0472DDBCB01CF5AC5C1A1A7FE9EF46754B5240E9EE088F200D6B1D901CB90
                                              Function 36053720 Relevance: .1, Instructions: 67COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b8b326f243c066a64c542d7494f058df41712bdec3aba99951e97f6052d3c8c1
                                              • Instruction ID: 4f640e7b644fe3486f1022ee6a4a0b5ca5de6a384f7888cf51ffe23b54d59a8d
                                              • Opcode Fuzzy Hash: b8b326f243c066a64c542d7494f058df41712bdec3aba99951e97f6052d3c8c1
                                              • Instruction Fuzzy Hash: 5521F5B4E0420CCBE716CF6AC4457EEBBF4EB84318F268058CA11672D0DBB89955C750
                                              Function 3608674D Relevance: .1, Instructions: 65COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ac042ebd144efb80954b419edcf4454fc72d9a20661e6026f726062c064f7ab4
                                              • Instruction ID: 7edeb63f0d0d0e025da69d20afc4bc7c191e682317988a09700e715f4ef91fb1
                                              • Opcode Fuzzy Hash: ac042ebd144efb80954b419edcf4454fc72d9a20661e6026f726062c064f7ab4
                                              • Instruction Fuzzy Hash: 6B21C374510B14DFE720CF65C842F6ABBF4FF44354F40886DE59AC7210DA70A860CBA0
                                              Function 36049240 Relevance: .1, Instructions: 64COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c467d16ee1f88199a7d31dcd0f1805bf3bb843ad1ff6770a41e4fca5e9661511
                                              • Instruction ID: 6a6c07d6144eff92a2054362050cafa1526e437a9048ff7e739fd6c05e75c257
                                              • Opcode Fuzzy Hash: c467d16ee1f88199a7d31dcd0f1805bf3bb843ad1ff6770a41e4fca5e9661511
                                              • Instruction Fuzzy Hash: 9B112BBA031341EAE3279F52C942A627FFAEB54784F504165EA00E7350D735DD23CBA5
                                              Function 360866B0 Relevance: .1, Instructions: 61COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 768c7db37ec95a01db1aabe7b174e9709fe264e42b0b618c3fa017a1aa0ce76d
                                              • Instruction ID: 6b930b9436e01cb774d2d33e4deb2562a418e58132edd3f0e45047628d2c6867
                                              • Opcode Fuzzy Hash: 768c7db37ec95a01db1aabe7b174e9709fe264e42b0b618c3fa017a1aa0ce76d
                                              • Instruction Fuzzy Hash: F611BF7AA213189BD715CF5ACA82A4EBFF5EB84754F1240B9D9059B310DA34DD20CBD0
                                              Function 360DD250 Relevance: .1, Instructions: 60COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: aa0fa15737a9395d164a7735b243214674573bc85285f1ce14a38d0d1ec1da84
                                              • Instruction ID: b9294268ea424ecf70102488bee0ac4080cf30bf603e82fc7882181c1a51b7fb
                                              • Opcode Fuzzy Hash: aa0fa15737a9395d164a7735b243214674573bc85285f1ce14a38d0d1ec1da84
                                              • Instruction Fuzzy Hash: 58018E77960310A7D6224667CD83B7B3FA8DBA47ACF5107A5BD205B280DA28CC91C3E1
                                              Function 360DE7E1 Relevance: .1, Instructions: 59COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                              • Instruction ID: c36822fe981aa95dd8693d77205dac0e1335d87155f7b964f1c335d7a4b989da
                                              • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                              • Instruction Fuzzy Hash: B511CE35A00700EFE7218F46CD42B0A7FE5EB45788F4186ACE94C9B160DBB1DC40DB90
                                              Function 360727ED Relevance: .1, Instructions: 58COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: dfab5533a5ede397f4b5c7052db63637ab4aed98d22ff061befae0eca81b067b
                                              • Instruction ID: 1697296e27d66d72b876b91021000cf603e63f6bd305e69f12d0c8b055f3ce9e
                                              • Opcode Fuzzy Hash: dfab5533a5ede397f4b5c7052db63637ab4aed98d22ff061befae0eca81b067b
                                              • Instruction Fuzzy Hash: 00016275B06344AFF302922AEC96F1B6FDCEF80398F4540F0F9009B240DAA5DC00C2AA
                                              Function 36054690 Relevance: .1, Instructions: 57COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3b783b844852f91ec02436a1c2fa2800738f09212b4b36bbf5d7b900353d0a33
                                              • Instruction ID: f0074ad9b071bc8ab2344e45dc178f3e0d64a7e5952b784d785e028f059d7240
                                              • Opcode Fuzzy Hash: 3b783b844852f91ec02436a1c2fa2800738f09212b4b36bbf5d7b900353d0a33
                                              • Instruction Fuzzy Hash: E611E3796087489FD711CF57C942B867FE5EB85768F020195FA0487240C774E850CFB0
                                              Function 3610D6F0 Relevance: .1, Instructions: 57COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                                              • Instruction ID: a726be9b8c7c99010d7b3968c52793e4a6058c7c75428a5c5c463e1e97c494bf
                                              • Opcode Fuzzy Hash: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                                              • Instruction Fuzzy Hash: 1A015275F00209AB9B05DAA6DE45D9F7BBDEF85B88F0040A9A905D3100E730EA05CF60
                                              Function 36086620 Relevance: .1, Instructions: 56COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7a7da0a988c37d5b3131f8beb79c4b5e1362d6a846bd08f97b47301a122dcdf7
                                              • Instruction ID: 4b532cf3a89700c7c6596b23981a2e7e6085024485aa0c10aabbcd8d09ea20b5
                                              • Opcode Fuzzy Hash: 7a7da0a988c37d5b3131f8beb79c4b5e1362d6a846bd08f97b47301a122dcdf7
                                              • Instruction Fuzzy Hash: 8911C276D10659ABCB12DFAACD82B5EBFF9EF44751F920495E901B7200C730AD21CBA1
                                              Function 3607E53E Relevance: .1, Instructions: 55COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                              • Instruction ID: 47706cea9cd7fc1226edf42f7ec4426b640562ebc37c0178d9e9f43f6517efd5
                                              • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                              • Instruction Fuzzy Hash: 941108B5A127C59BF7128BA5E956B093FD4EF017CCF1500E0DE40C7641E738D982C695
                                              Function 36047330 Relevance: .1, Instructions: 55COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9aece75bb2d48ffc398ba79bd80b2b47388390912f0f2ea0dc1e88655569f1ee
                                              • Instruction ID: 67f2cf8350df58802088a531852abdf6e0ced111ce99787f16dc695a0cf33d19
                                              • Opcode Fuzzy Hash: 9aece75bb2d48ffc398ba79bd80b2b47388390912f0f2ea0dc1e88655569f1ee
                                              • Instruction Fuzzy Hash: 9F11E072A007149FE722CF55C846B9B7BE8EB44348F004879E985D7210D735EC00CFA1
                                              Function 360DE75D Relevance: .1, Instructions: 54COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                              • Instruction ID: 937c29f2cedb689f7203906b9bdb263e4fd3678123293cd20322f67fca74be06
                                              • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                              • Instruction Fuzzy Hash: B101C076A00704BFE7518B55CD02B5A7FE9EF84790F1182A5E9049B261E771DD40CB90
                                              Function 3607F2D0 Relevance: .1, Instructions: 54COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d16945cf1c040f81f47d68a86ee13f8502f6aff6dd7c26f757f7ad8cfb456b82
                                              • Instruction ID: 2792f6a869ef3a01f0b3d883fffe82a1077fb268a1f22ac2cfc07df9f0611a35
                                              • Opcode Fuzzy Hash: d16945cf1c040f81f47d68a86ee13f8502f6aff6dd7c26f757f7ad8cfb456b82
                                              • Instruction Fuzzy Hash: 70110275A007489BD710CF69CD46B9EBBF8FF44744F1500A6E501EB251DA39D901C791
                                              Function 360E72A0 Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
                                              • Instruction ID: a77ff0a16d7a282e24dba16cb46223a0b6814bbbe0df6f80183a2b62a05c9fff
                                              • Opcode Fuzzy Hash: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
                                              • Instruction Fuzzy Hash: 3501D276140919BFD7129F22CD82EA2FFBEFF503A0F400569F10042570C721ACA0DBA5
                                              Function 3604A250 Relevance: .1, Instructions: 52COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                              • Instruction ID: aeaa78ef7f1aa1db9e7816a088122d8adcb06737960012029dc3a9775f7b55ba
                                              • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                              • Instruction Fuzzy Hash: A3010471904711ABD7329F1AD942A2A7FE5EB4577074089BDF895AB280DB31D800EFA0
                                              Function 36056259 Relevance: .1, Instructions: 51COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f12f149d7abace5ed0b871552e27890f921c73eb77688dd4c569ea77dfd7eea7
                                              • Instruction ID: 839325cb26941c43eeb789ec4d74cec318cad781dc4bc7f55f6c19ff969a2d7a
                                              • Opcode Fuzzy Hash: f12f149d7abace5ed0b871552e27890f921c73eb77688dd4c569ea77dfd7eea7
                                              • Instruction Fuzzy Hash: A1119A70952228ABEB65DB64CE42FE8BAF5AB04710F5041D4A318A60F0DA709E91DF89
                                              Function 3608E5CF Relevance: .0, Instructions: 49COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2571bf66489e58dbf30ba458591b35eee2674e4f570b47a94bc9ff04159c392d
                                              • Instruction ID: 66d2eae460a5d9ca8490bf2b8590227ffb10a66619d4cb342901aa2ed70e6722
                                              • Opcode Fuzzy Hash: 2571bf66489e58dbf30ba458591b35eee2674e4f570b47a94bc9ff04159c392d
                                              • Instruction Fuzzy Hash: 3701F2B1201A15BFD311AB7ACE81E17BFECFF857A8B0006A6B10583550DB38EC21C6E5
                                              Function 360DC460 Relevance: .0, Instructions: 48COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 482072897a68ca4912fed2f31f8368c597653d78fe44578eaf1d05e565604c9e
                                              • Instruction ID: ccc92a7119cfc27e53efafe2e3c8e2684a9a575572beef0f0d24ccf035eb3db7
                                              • Opcode Fuzzy Hash: 482072897a68ca4912fed2f31f8368c597653d78fe44578eaf1d05e565604c9e
                                              • Instruction Fuzzy Hash: 2E115B75A0024CAFDB05DFA5C942EAE7BBAEB49344F004199F80197350DA35DE11DB91
                                              Function 36049353 Relevance: .0, Instructions: 48COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
                                              • Instruction ID: 5473f431dc591cf94d1447d8d01905ff17855947a7a5c08668564b1a78426672
                                              • Opcode Fuzzy Hash: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
                                              • Instruction Fuzzy Hash: A1118B72814B119FE332AF16C881B12BBE4FF417A6F1588BCE4894A4A5C774E880CF50
                                              Function 3610F453 Relevance: .0, Instructions: 47COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8773859f7ab05e86a1f1bc894765cabae647e0b831a68260c8aa620d88004748
                                              • Instruction ID: 660f157f898129f87b8467599aaa0c2140b006b9b65eee019aa12dac00df7f3e
                                              • Opcode Fuzzy Hash: 8773859f7ab05e86a1f1bc894765cabae647e0b831a68260c8aa620d88004748
                                              • Instruction Fuzzy Hash: EA019E71A00248AFDB04DFA9D942FAEBBF8EF84314F004066F900EB291DA74DA05CB91
                                              Function 3610F5BE Relevance: .0, Instructions: 47COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6490470df6d602e6c8f60bae887dbd4149b1438072a96f009fde5b9b65e40592
                                              • Instruction ID: 4edc4651c599d8a0f032d6962cda801ac1b6b449f206b32a2c5bf7a2833a9372
                                              • Opcode Fuzzy Hash: 6490470df6d602e6c8f60bae887dbd4149b1438072a96f009fde5b9b65e40592
                                              • Instruction Fuzzy Hash: 74019E70A00248AFDB04DFA9D952FEEBBF8EF44304F004066F900EB290DA74DA01CB91
                                              Function 360733A5 Relevance: .0, Instructions: 47COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
                                              • Instruction ID: d7bf3660b620c73299e215992af25dbe41adaa6456db79544bc080eca6b89ea8
                                              • Opcode Fuzzy Hash: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
                                              • Instruction Fuzzy Hash: AD01D672700205ABEB1ECABBDD02E5F3EAC9F84780F1040E9BA05D7120EA32E901D764
                                              Function 3604826B Relevance: .0, Instructions: 46COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f4d7afa4ced4d604432ddb62e5b3c2226a6288f21d393a8472d91257c523f07c
                                              • Instruction ID: 81416b3118c69b3fde18894d35c773239092ef4f8309201d07c31399dd4bba71
                                              • Opcode Fuzzy Hash: f4d7afa4ced4d604432ddb62e5b3c2226a6288f21d393a8472d91257c523f07c
                                              • Instruction Fuzzy Hash: 0101F771B00704DFD716EBAADE42AAF7FF9AF40250F5144E9D901A7240DE60DC02CB91
                                              Function 36052582 Relevance: .0, Instructions: 45COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3e5dc11a73c6d5b9de30fbe006345e5b78bc1dff03a1982f09af5b1516d7d07a
                                              • Instruction ID: 02ed8b3be64d0499e4fc03aad6d570ee2d96202d347d7c8396852ae1a17e6aa4
                                              • Opcode Fuzzy Hash: 3e5dc11a73c6d5b9de30fbe006345e5b78bc1dff03a1982f09af5b1516d7d07a
                                              • Instruction Fuzzy Hash: 11F0A432A45B20BBD7368B97DD41F477EAAEF84BA4F1144A9B60597640DA30DD01CBF0
                                              Function 3610F367 Relevance: .0, Instructions: 45COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1c45733a2f36a6fea142f45fde192589c88c56175fb31f79e514f9bf99b4671a
                                              • Instruction ID: b9079138960900f9d7f59fdae20e3d491558c272041189787d16f5e0868a07e7
                                              • Opcode Fuzzy Hash: 1c45733a2f36a6fea142f45fde192589c88c56175fb31f79e514f9bf99b4671a
                                              • Instruction Fuzzy Hash: 78017171A00258AFDB04DBA6DD16FAF7BB8EF84744F004466E900EB290D674D901CB95
                                              Function 36125636 Relevance: .0, Instructions: 44COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: aa609722f50c6b915835d72416e4dbbfb4c95bed59274ad5b545bd3b183f1d40
                                              • Instruction ID: ed550923ac082b36674b99b39bb28873ba34ffeb98aab687fec3ebae102a86a9
                                              • Opcode Fuzzy Hash: aa609722f50c6b915835d72416e4dbbfb4c95bed59274ad5b545bd3b183f1d40
                                              • Instruction Fuzzy Hash: 23116D74D00259EFCB04DFA9D541A9EBBB4EF08304F10849AA914EB350D734DA02CBA5
                                              Function 3611972B Relevance: .0, Instructions: 44COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                              • Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
                                              • Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                              • Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94
                                              Function 36085734 Relevance: .0, Instructions: 43COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                              • Instruction ID: 46af5a81d0d38d6b035181fe5d5cb728fc375be1e8d021940090137c54ac4de5
                                              • Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                              • Instruction Fuzzy Hash: DBF0FF72A01214AFE30ACF9CD941F5ABBEDEB49690F0180B9D500DB230E671DE04CA94
                                              Function 36125537 Relevance: .0, Instructions: 43COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f0e70437dc31d9801217d89908bd57ee60481e0acf1baf9cc196420806d0de7a
                                              • Instruction ID: 22ee4977f56e870dcccc7af6412980afeaa7e53f79c318ec1fc3ec1fe22d5c8d
                                              • Opcode Fuzzy Hash: f0e70437dc31d9801217d89908bd57ee60481e0acf1baf9cc196420806d0de7a
                                              • Instruction Fuzzy Hash: F5111E70A10249DFDB04DFA9D951B9EBBF4FF08304F0442A6E504EB381D634D941CB91
                                              Function 3604C310 Relevance: .0, Instructions: 43COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                              • Instruction ID: 9e0c815a69b2e0583e09db152f43877d1acd298890c6b50f34642d7456be34e2
                                              • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                              • Instruction Fuzzy Hash: B9F0FC73645732ABE7372A5ACC42B5B6E958FC3BA9F1600F5F1049B240CE648C019FD1
                                              Function 3610F78A Relevance: .0, Instructions: 42COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d1a8a9334cee3195c780aa5f1a9ef986bae74dcb58acc18049870cb7d02ef1d0
                                              • Instruction ID: 623bc66de82e70cfc9eef5f0c7d532c40afd7f2ad166a1d476c398fc7813aed0
                                              • Opcode Fuzzy Hash: d1a8a9334cee3195c780aa5f1a9ef986bae74dcb58acc18049870cb7d02ef1d0
                                              • Instruction Fuzzy Hash: 51014CB4E00309AFDB04CFA9D542A9EBBF4EF48344F10806AE905E7350E674DA00CFA2
                                              Function 3610F2F8 Relevance: .0, Instructions: 41COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 073fb8c8a0f76226fa6936a2eb9bd4f348a6ab05276f8f00c7efe367c43408ee
                                              • Instruction ID: 0a9dda7762d76bbff184fa63e1638fa111571d5dfa1fde2d62d39a704a2a1a53
                                              • Opcode Fuzzy Hash: 073fb8c8a0f76226fa6936a2eb9bd4f348a6ab05276f8f00c7efe367c43408ee
                                              • Instruction Fuzzy Hash: C3F0A975A10348AFDB04DFB9C916ADEB7B9EF44714F008496E501EB290DE74E901CB91
                                              Function 3608724D Relevance: .0, Instructions: 40COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
                                              • Instruction ID: 321f10f04b527784aa1cd0fbe9f0807de2b7aef94ac8a1925615ef6377f5cd26
                                              • Opcode Fuzzy Hash: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
                                              • Instruction Fuzzy Hash: 65F0C2B5E122756FEB00C7AA8A46FAEBFE99F80750F0481D5A90197248D638DD40C6A0
                                              Function 3608656A Relevance: .0, Instructions: 39COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bcabd9759f87b14e456cffd6a8fceb940a0cd8da1091d32bc7be68f7fc40c486
                                              • Instruction ID: 7e1cf87dac70ae5d5575cacbdc517aeda417e80ad3a1a31d0476d4032d44bf74
                                              • Opcode Fuzzy Hash: bcabd9759f87b14e456cffd6a8fceb940a0cd8da1091d32bc7be68f7fc40c486
                                              • Instruction Fuzzy Hash: 540181B4A107849BF312CB69CE56B1E3FE4BB40B88F8501E0BA019B6E6DB28D451C221
                                              Function 36123749 Relevance: .0, Instructions: 38COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                                              • Instruction ID: 5fe23b2f8d370605e3ac90808295648facaf88efd971954c87c9cef6c73303c4
                                              • Opcode Fuzzy Hash: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                                              • Instruction Fuzzy Hash: 53F04FB6940204FFEB11DBA4CD42FDA7BFCEB04714F100566AA15E6190EA70EA44DB91
                                              Function 360F437C Relevance: .0, Instructions: 37COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                              • Instruction ID: bb20b21ca4ea5b8828fc4ccb38431a45b1a2608059eaab4c6a443b206ffb7cfc
                                              • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                              • Instruction Fuzzy Hash: D8F0E979B69E2347DB269A2B8852B1F7EE59F80A40F0105AC9E51DF681EF12D800C7A1
                                              Function 361255C9 Relevance: .0, Instructions: 35COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2f51b82ad2b2630c5a634c86ee9e644f49e2ef6a1e638c6df807c30ad68eb3db
                                              • Instruction ID: bf38a8698a25e457d25f987595de01d1df6fea6b5ffff431c70513a36b9c7bb3
                                              • Opcode Fuzzy Hash: 2f51b82ad2b2630c5a634c86ee9e644f49e2ef6a1e638c6df807c30ad68eb3db
                                              • Instruction Fuzzy Hash: 0CF04FB4A00248AFDB04DFB9DA95B9EBBF4EF08304F508459F905EB390D674EA00CB55
                                              Function 3610F6C7 Relevance: .0, Instructions: 33COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cb624f9bb87ed61811400e128fb32ee26347aa31b2f9d8099321fa1f363fe0ce
                                              • Instruction ID: 318e4776a01ea90912a0d2da434a9f0e47ed02549024737b70e6fdf9b83665a1
                                              • Opcode Fuzzy Hash: cb624f9bb87ed61811400e128fb32ee26347aa31b2f9d8099321fa1f363fe0ce
                                              • Instruction Fuzzy Hash: F5F06275A10248EFDB04DFA9D916E9EBBF4EF44304F004099F901EB291D634E901CB55
                                              Function 360547FB Relevance: .0, Instructions: 33COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bfcce7567265836cf30a875cf3eba208d4e8549158f031430eefc429d09e3499
                                              • Instruction ID: 9e4a645fadde31b17c6b5e8d30b94fdf25bf59a2e88a509b0462b7cdbe8a184a
                                              • Opcode Fuzzy Hash: bfcce7567265836cf30a875cf3eba208d4e8549158f031430eefc429d09e3499
                                              • Instruction Fuzzy Hash: 1AF0C275D193E09FE3118A1BC841BA97FC49B00B64F164CE6C65483101C7A4D880C6E2
                                              Function 36092619 Relevance: .0, Instructions: 31COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                              • Instruction ID: 94c7008d9e8d556cc9815a205d2e604aa601381faef2acd41983897a313a295a
                                              • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                              • Instruction Fuzzy Hash: 08E092723006002BD7128E5A8D85F877BAEDFC6B10F0400B9B5045E261C9E29C19C2A5
                                              Function 3608C5ED Relevance: .0, Instructions: 31COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 96044a9964d76bb9462a0156fde74128dce0fb4d0cef6ef0110955408de3b5b9
                                              • Instruction ID: de59a2021b2deb8aa7604aee777394bfa4fd2c4dc7173da8d4ed0df78ab5c459
                                              • Opcode Fuzzy Hash: 96044a9964d76bb9462a0156fde74128dce0fb4d0cef6ef0110955408de3b5b9
                                              • Instruction Fuzzy Hash: 46F0E2B99116909FE312C725C546B257FF49B437B4F5894F6D40587612C764C8A0CA91
                                              Function 36125283 Relevance: .0, Instructions: 31COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6f053e534d8aeb26bd882749e63c16a0a5139122e6cb6e4de0c14f0d604bc73a
                                              • Instruction ID: c298e3f49447f2f14c327e09b696166df92a742cf606f5d904f96c9508fcff35
                                              • Opcode Fuzzy Hash: 6f053e534d8aeb26bd882749e63c16a0a5139122e6cb6e4de0c14f0d604bc73a
                                              • Instruction Fuzzy Hash: 52F054B0A10348DFDB04DFB5D956BAE77F4EF44704F404499A541EB2D1EA34D901CB55
                                              Function 361252E2 Relevance: .0, Instructions: 31COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0ba1c9f143dd041c05d2af44181baf20f36d877283958ae0b68752c8f84a6696
                                              • Instruction ID: fd0170065bbaecd3444fb948267b9fde488f67cfa390328cd2ec08ff57267b46
                                              • Opcode Fuzzy Hash: 0ba1c9f143dd041c05d2af44181baf20f36d877283958ae0b68752c8f84a6696
                                              • Instruction Fuzzy Hash: 82F0E970A103489FDB04DFB5DA52EAE77F4FF04304F408498A501EB290DA74D900CB55
                                              Function 3612539D Relevance: .0, Instructions: 31COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5e85787326eb1b9d1b3e3457831fe825f70abf6aa50e1382f35c0b23cec25a7a
                                              • Instruction ID: 09ec1cbb8ae8431dddd1693ad54704fe92c05a18d68b540ee853183581464cf7
                                              • Opcode Fuzzy Hash: 5e85787326eb1b9d1b3e3457831fe825f70abf6aa50e1382f35c0b23cec25a7a
                                              • Instruction Fuzzy Hash: E8F0BE70A1034CAFDB08DFB9D952B9EBBF4EF08304F108498E601EB290DA74E901CB65
                                              Function 3610F72E Relevance: .0, Instructions: 30COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5f871dc10b0806b72085b2f7f98cb871d00934c0c9e7aafd430e3cff5b47ded4
                                              • Instruction ID: 62b3915154e09e28fab38e63417ae499d9dc653eee9830f0407242be9567badc
                                              • Opcode Fuzzy Hash: 5f871dc10b0806b72085b2f7f98cb871d00934c0c9e7aafd430e3cff5b47ded4
                                              • Instruction Fuzzy Hash: 46F08271A00348AFDB04DBB9DA56E9E7BF4EF08704F404094E601EB290D974D9018B55
                                              Function 3612547F Relevance: .0, Instructions: 30COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f2115835b16e27d31751ddf41146b0e39f3e740cd29d27701bcbeb806781808b
                                              • Instruction ID: 8925f6b1efbee930b80d4f8cb88a5fa4297de1e2d70afb111de6f6aad9e88063
                                              • Opcode Fuzzy Hash: f2115835b16e27d31751ddf41146b0e39f3e740cd29d27701bcbeb806781808b
                                              • Instruction Fuzzy Hash: E3F08270A01248AFDB04DBB9DA56E9EBBF4EF08304F504494E601EB390EA34D901C755
                                              Function 361254DB Relevance: .0, Instructions: 30COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3c60802a9c969e143440586fb10da523fe96516fa59ac5080b495dbcaf527377
                                              • Instruction ID: a7076be3f205ccb0ab2852dec94bef3f1ac1dd5390c4cdf119dd7efc5cd37fae
                                              • Opcode Fuzzy Hash: 3c60802a9c969e143440586fb10da523fe96516fa59ac5080b495dbcaf527377
                                              • Instruction Fuzzy Hash: D3F0A770A10248AFDB04DBBAD956F9E7BF5EF08308F504498E601EB2D0EA34DD00DB55
                                              Function 36087208 Relevance: .0, Instructions: 30COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c428766a78a970c33daff436b287001630f8bdc8ee7b56f317507d239c17f391
                                              • Instruction ID: 17cb6d560d6b508ec88bcf267c57c20f537ec8eba084f39fff667c846d02c0a5
                                              • Opcode Fuzzy Hash: c428766a78a970c33daff436b287001630f8bdc8ee7b56f317507d239c17f391
                                              • Instruction Fuzzy Hash: AEF082B5D216949FE311C719C586B097FD5AB057B4F5555E1D4068F542C728D880C261
                                              Function 36125227 Relevance: .0, Instructions: 30COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6c39805dadf79fc925702359fd576a9d312f5a8ecbe08de6720bda51b70e50aa
                                              • Instruction ID: d7dff089d23f6a9954e461f23b162ef996eec888012737875531f684d7dcb876
                                              • Opcode Fuzzy Hash: 6c39805dadf79fc925702359fd576a9d312f5a8ecbe08de6720bda51b70e50aa
                                              • Instruction Fuzzy Hash: FBF0E9B0A10208DFDB04DBB5DA52E9E77F4EF04304F000494A501EB2D0DA30D900C755
                                              Function 36125341 Relevance: .0, Instructions: 30COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3eba6a86cb22313c420add198ddc7c071e3aaf046872bd535ae135b2679adc83
                                              • Instruction ID: 432406efe2ea9fd6ea0bfc09411cd2cd0268f0ff449bdeafb61b712d0a09af6f
                                              • Opcode Fuzzy Hash: 3eba6a86cb22313c420add198ddc7c071e3aaf046872bd535ae135b2679adc83
                                              • Instruction Fuzzy Hash: 74F0A770A00248AFDB08DBB9D956E9E7BF4EF49344F505499E501FB2D0EA74D900C755
                                              Function 36050710 Relevance: .0, Instructions: 28COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                              • Instruction ID: ae6ffaa78cd1291ca4c99e916a86f69110e8d3337e5830c82aa285b44bd268ee
                                              • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                              • Instruction Fuzzy Hash: EDF0E539A087549BF705CF16D551AC97FE4EB45394F1104D4E9428B301DB31E982DB81
                                              Function 360855C0 Relevance: .0, Instructions: 28COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
                                              • Instruction ID: b9dc3113bda691ab5c5b4fad8400c1dcf48e6751168971c9befe3f44e97fc52c
                                              • Opcode Fuzzy Hash: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
                                              • Instruction Fuzzy Hash: 89E0E533511724ABD2124A56DC02F06BFB9FF507B0F104165B058175908B64B851CAD4
                                              Function 361237B6 Relevance: .0, Instructions: 27COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                                              • Instruction ID: 02551b91c725a1e7f427638f6a7ec354a1852db42615941b08990eb73ccca3f8
                                              • Opcode Fuzzy Hash: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                                              • Instruction Fuzzy Hash: E7E06DB2610214AFDB54CB55CE06FE673ECEB00760F500258B116930E0DBB0AE40CB64
                                              Function 360525E0 Relevance: .0, Instructions: 23COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e5e4d21e36b203317a282b688c06a0d4839eca2827a25b258dd92778e278ac61
                                              • Instruction ID: 3c0107663daf68d21d91727ab639f446ecbd9531d25bf5d6b1b8a237e04d20a2
                                              • Opcode Fuzzy Hash: e5e4d21e36b203317a282b688c06a0d4839eca2827a25b258dd92778e278ac61
                                              • Instruction Fuzzy Hash: 8BE09232110694ABC312AB2ACE02F8A7BEAEF50374F014565B215571A0CA30A810C7D9
                                              Function 3604823B Relevance: .0, Instructions: 21COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                              • Instruction ID: 3300c0ba51ec78a2af9400e19ad67e59e50227b94fabf863e510f039e6991132
                                              • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                              • Instruction Fuzzy Hash: E7E04F31421720EEE7322A21DE42B457EE1FB44B60F204CA9A041150648A70ACC1DA85
                                              Function 3610B3D0 Relevance: .0, Instructions: 21COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
                                              • Instruction ID: 219ee3cb357e237fc5c14f4ce6e8fbc2a2351f5a25f1a2e14cac21506fdce35c
                                              • Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
                                              • Instruction Fuzzy Hash: 85E0C231285228BBEB225E50CD01F6A7B25DB407E8F204031FA08AB690CA76AD91DAD4
                                              Function 360D92BC Relevance: .0, Instructions: 20COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 62bc9f4ff50dee655c3c8488d41c2ae6b099de65d5595552dc82cbc9618d2f8d
                                              • Instruction ID: 9bcf5e4058097eb05d353ea0b69fa8dd5449ecde420ed51d584d41e264d5a941
                                              • Opcode Fuzzy Hash: 62bc9f4ff50dee655c3c8488d41c2ae6b099de65d5595552dc82cbc9618d2f8d
                                              • Instruction Fuzzy Hash: 82F0C974651B80CBE61ACF05C1A2B5177BAFB45B44F900598D48A4BBA1C73A9942CB80
                                              Function 3604B562 Relevance: .0, Instructions: 17COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
                                              • Instruction ID: 8edddf7e2217886ff8d074b106333828e7586147368535afe695ebe2e7a67712
                                              • Opcode Fuzzy Hash: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
                                              • Instruction Fuzzy Hash: 43D05B31161660AFC7326F21EF02F427EB5DF80B10F4505A47001164F08661DD84CA91
                                              Function 3608E59C Relevance: .0, Instructions: 16COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                              • Instruction ID: c84df17139fe3a96f2152a5248cc076ccaa247a1c2c25ce8c1e7ca6cec907323
                                              • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                              • Instruction Fuzzy Hash: A3D0A932614620ABE3229A2CFC00FC337E8AB88760F160899B049CB050C360AC81CA84
                                              Function 360602A0 Relevance: .0, Instructions: 13COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                              • Instruction ID: 7216c8970f33644072db6baa3a3eaef17023ae1929011c3beaed8814164a4171
                                              • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                              • Instruction Fuzzy Hash: A1D09239652A81CFE6068B0AC6A1B0537A4FB44A88F9148D0E442CBB25D728D984CA40
                                              Function 3608C700 Relevance: .0, Instructions: 12COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                              • Instruction ID: 6aff3cbc83a473d80c9b2a9b1f66b8b06a845065c2b1bb661f58d4e1bca6e4ba
                                              • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                              • Instruction Fuzzy Hash: 09C08C33290648AFC716DFA9CE02F027BA9EB98B50F000461F3058B670C631FC20EB84
                                              Function 360D930B Relevance: .0, Instructions: 12COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
                                              • Instruction ID: d2e19504bb20782013041be7af2bef99460709ee27814daa58e85cdbcb72a856
                                              • Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
                                              • Instruction Fuzzy Hash: 98D01779951AC48FE317CB04C162B407BF4F705B40F850098E08647AA2C27C9984CB00
                                              Function 36070310 Relevance: .0, Instructions: 11COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                              • Instruction ID: 1f23f86b4fbfed373db89d7cb6dc25f064201901b93a27ddfd1df0e6451fc6f4
                                              • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                              • Instruction Fuzzy Hash: F1D01236100248EFCB01DF41C990D9ABB2AFFC8710F108019FD1A077108A31ED62DA50
                                              Function 3607340D Relevance: .0, Instructions: 10COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
                                              • Instruction ID: 0a48ca626dcd59d2e5b663cba8863aa3780940b9aa978b205d2a787042818f19
                                              • Opcode Fuzzy Hash: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
                                              • Instruction Fuzzy Hash: C1C08CB85515846AFB0F4721CE02B2A3E90BF0079AFD015DCBA41A94A1C36AA802D31C
                                              Function 36050750 Relevance: .0, Instructions: 9COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                              • Instruction ID: 19923114672908135579b8c003ee9c5fdae4a5615798d6d1f24f8a6965730040
                                              • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                              • Instruction Fuzzy Hash: DDC08C38B006008FCF04CB2AD390F453BE0F700780F1008C0E900CB720E220E801CA00
                                              Function 36094650 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5d362836bde8ce489ca58bb50986c3756ca115333f4888a92416a2bdb058b3e5
                                              • Instruction ID: 6076278c34e48f376cd8f0b35e5a04a4f156619152f6a10723141898c37930c8
                                              • Opcode Fuzzy Hash: 5d362836bde8ce489ca58bb50986c3756ca115333f4888a92416a2bdb058b3e5
                                              • Instruction Fuzzy Hash: 959002A1B0160042514071D88845406640657F1341395C156A1554524C861889599269
                                              Function 36094340 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 81e5fb37a795d870a8905a1c2d084d1246cc8a03f9faa95fde20c365f1b44b10
                                              • Instruction ID: 6e8b504ce8a4e1fdb8a7d2fec0fc8fe3c5fd75902122089a8a222b6692bc77b3
                                              • Opcode Fuzzy Hash: 81e5fb37a795d870a8905a1c2d084d1246cc8a03f9faa95fde20c365f1b44b10
                                              • Instruction Fuzzy Hash: A1900271B0590012A14071D888C5546440657F0341B55C052E1424518C8A148A5A5361
                                              Function 36093010 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 038a8ac5adc63fe3ce526bae389b29d3541d35434b7367643f9b61e8e330324e
                                              • Instruction ID: f768ce0edc2f959c35b21e395853d9da98549dd1420510964a4139b71f701bcf
                                              • Opcode Fuzzy Hash: 038a8ac5adc63fe3ce526bae389b29d3541d35434b7367643f9b61e8e330324e
                                              • Instruction Fuzzy Hash: 7290026170194442E14072D88845B0F450647F1242F95C05AA5156518CC91589595721
                                              Function 36093090 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4cec0bdaad84ced691aedb587ea9118801a90d7757c33973bfd118be6095228f
                                              • Instruction ID: 6f25696439c610319d75b9b1f96e60849c2886fcc01765c21cb526148671f5e1
                                              • Opcode Fuzzy Hash: 4cec0bdaad84ced691aedb587ea9118801a90d7757c33973bfd118be6095228f
                                              • Instruction Fuzzy Hash: B190026174150802E14071D8C455707040787E0641F55C052A1024518D86168A6966B1
                                              Function 36092E30 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e25d5d23dc64e89c2090864f2937ffe3ab746457bd672f67940cb53ebf70d95e
                                              • Instruction ID: 5b0bbf07ed632b445f3941707e60eae07ef63de66d0a6658f41de21cc6467349
                                              • Opcode Fuzzy Hash: e25d5d23dc64e89c2090864f2937ffe3ab746457bd672f67940cb53ebf70d95e
                                              • Instruction Fuzzy Hash: F190026170150402E10271D88455606040A87E1385F95C053E2424519D86258A57A132
                                              Function 36092E80 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5024a13bef1de540629eb39ee5f74924de3bec52c474e06b72360b1557a005df
                                              • Instruction ID: d9a517623bca3a63b1bf29c28c64fb7ccaa179cad9ee2272942c98d7f2aae2b5
                                              • Opcode Fuzzy Hash: 5024a13bef1de540629eb39ee5f74924de3bec52c474e06b72360b1557a005df
                                              • Instruction Fuzzy Hash: 35900261B0150502E10171D88445616040B47E0281F95C063A2024519ECA258A96A131
                                              Function 36092EA0 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8680ea83b50ac7531b9e17c3200c46ba5161d24e5019c4928e65ab713ce4648e
                                              • Instruction ID: bb5383020afb07d6829428b5b15ede522d30b441fd37883baed8a94fb54636bc
                                              • Opcode Fuzzy Hash: 8680ea83b50ac7531b9e17c3200c46ba5161d24e5019c4928e65ab713ce4648e
                                              • Instruction Fuzzy Hash: 489002B170150402E14071D88445746040647E0341F55C052A6064518E86598ED96665
                                              Function 36092EE0 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bd06016b313e8c6e8b14386d7f9363fcfd698f4b8d730ef0beaa20c544a012af
                                              • Instruction ID: f9bf8db5278a91450db6b8b2909a2ced9d9e8bedf617efd3bd97d4509ac6b17b
                                              • Opcode Fuzzy Hash: bd06016b313e8c6e8b14386d7f9363fcfd698f4b8d730ef0beaa20c544a012af
                                              • Instruction Fuzzy Hash: F69002A170190403E14075D88845607040647E0342F55C052A3064519E8A298D556135
                                              Function 36092F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5ff2233e80de7d2593b0cc5c7328339ab2eba7529cae49dbad3625f98ad484df
                                              • Instruction ID: b2e948426ebca2eeecbdbc6c7e7f5dc8b93ac6b4bba36b782f9ebcdf0fdf5dbb
                                              • Opcode Fuzzy Hash: 5ff2233e80de7d2593b0cc5c7328339ab2eba7529cae49dbad3625f98ad484df
                                              • Instruction Fuzzy Hash: 649002A174150442E10071D88455B06040687F1341F55C056E2064518D8619CD566126
                                              Function 36092F60 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1ba2bb9c4023102e1fe293bde9fd291390390dd887d5ea16491895912f168845
                                              • Instruction ID: 41fdaa0eb0028d2493307af20ec80cf73a70b2b190c02613327d9b4a702f8004
                                              • Opcode Fuzzy Hash: 1ba2bb9c4023102e1fe293bde9fd291390390dd887d5ea16491895912f168845
                                              • Instruction Fuzzy Hash: 159002A171150042E10471D88445706044647F1241F55C053A3154518CC5298D655125
                                              Function 36092F90 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 84a0e1b6e3686688b252907fdd9cfadf0e580ce56126ee6434f9139b0eea6608
                                              • Instruction ID: 4ce09ec46a2a2a2630b13fe8435ee95d845ce80c024223de614a3367c0da252f
                                              • Opcode Fuzzy Hash: 84a0e1b6e3686688b252907fdd9cfadf0e580ce56126ee6434f9139b0eea6608
                                              • Instruction Fuzzy Hash: FB90027170190402E10071D8885570B040647E0342F55C052A2164519D862589556571
                                              Function 36092FA0 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5c29ad9c31dc8e2f7b90abbf5b19247d86c51733d9568bb51ee12d3749f46e44
                                              • Instruction ID: 92ea11b8dbe493ac898f0359e7c0b31d0cc170c8edc1b41120bd1a724d77a08c
                                              • Opcode Fuzzy Hash: 5c29ad9c31dc8e2f7b90abbf5b19247d86c51733d9568bb51ee12d3749f46e44
                                              • Instruction Fuzzy Hash: 2790027170190402E10071D88849747040647E0342F55C052A6164519E8665C9956531
                                              Function 36092FB0 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6a408ea3eaf74f36dcaad1869f97f9215a7cb4b93cfead550392ea28c37a133f
                                              • Instruction ID: 5c47f2bc41fa93498d6cdc20f7ea45230da4c600f1503dd583a943457b9e3f1e
                                              • Opcode Fuzzy Hash: 6a408ea3eaf74f36dcaad1869f97f9215a7cb4b93cfead550392ea28c37a133f
                                              • Instruction Fuzzy Hash: 23900261B0150042514071E8C88590644066BF1251755C162A1998514D855989695665
                                              Function 36092FE0 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4ca95624a30c71dcb33f01de64c11ec7b1f3f9fdd15a4455f6c238d119154bf8
                                              • Instruction ID: c093fcb3b69db444a97228b02ab88495bb3b9750d613ebdb9c861c4e6c0c9820
                                              • Opcode Fuzzy Hash: 4ca95624a30c71dcb33f01de64c11ec7b1f3f9fdd15a4455f6c238d119154bf8
                                              • Instruction Fuzzy Hash: E4900261711D0042E20075E88C55B07040647E0343F55C156A1154518CC91589655521
                                              Function 36092C60 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: dbfb4669acd612107e943fa9c669dc6d9a8a803e91ca3b9206439077000d9640
                                              • Instruction ID: 1f6ab3ebddf7bd8ce9d29a308e43ff4a1ce86e7d7f8667d6d2f02d288030e9fb
                                              • Opcode Fuzzy Hash: dbfb4669acd612107e943fa9c669dc6d9a8a803e91ca3b9206439077000d9640
                                              • Instruction Fuzzy Hash: 2790027170150842E10071D88445B46040647F0341F55C057A1124618D8615C9557521
                                              Function 36092C70 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 695fafe4569053bba73cf9c13e448cca09bca87e72e8aa7b1d30aa6ba18ee159
                                              • Instruction ID: 7c2d921912ec94a1eb402575d615b9e10c0d50a9315b8cb9feb69915e086061c
                                              • Opcode Fuzzy Hash: 695fafe4569053bba73cf9c13e448cca09bca87e72e8aa7b1d30aa6ba18ee159
                                              • Instruction Fuzzy Hash: E190027170158802E11071D8C44574A040647E0341F59C452A542461CD869589957121
                                              Function 36092CA0 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 392bbcf3cfdfdb64850715f830710374eb86bfdb07975bc9fc8f74508d4f64c3
                                              • Instruction ID: 761ab846609de876d163f6cd3167d6fed4bd9870c65127b891865c98176668de
                                              • Opcode Fuzzy Hash: 392bbcf3cfdfdb64850715f830710374eb86bfdb07975bc9fc8f74508d4f64c3
                                              • Instruction Fuzzy Hash: D690027170150402E10075D89449646040647F0341F55D052A6024519EC66589956131
                                              Function 36092CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b9ef220bd41d5cdd9ff2924d30e47c011ceb86cebf22a39f9d5d15fa88fcaebf
                                              • Instruction ID: 09ea1e662e24429b185c1486828ba396de5e153a5f456671c86efc6a053cce10
                                              • Opcode Fuzzy Hash: b9ef220bd41d5cdd9ff2924d30e47c011ceb86cebf22a39f9d5d15fa88fcaebf
                                              • Instruction Fuzzy Hash: 58900261B0550402E14071D89459706041647E0241F55D052A1024518DC6598B5966A1
                                              Function 36092CF0 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 67a7484589620eae7bdfc2860bdc32293a17d2ed8e677cda85e9ab716b3a4caf
                                              • Instruction ID: fbb92c6795792e454dcec2fdb28256673ed3a316d57498174222e682c1c81a32
                                              • Opcode Fuzzy Hash: 67a7484589620eae7bdfc2860bdc32293a17d2ed8e677cda85e9ab716b3a4caf
                                              • Instruction Fuzzy Hash: 5E90027170150403E10071D89549707040647E0241F55D452A142451CDD65689556121
                                              Function 36092D00 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e80c398c1a9d748316018b9e4d2c5ca823133f49effba123dc9742d68a407e96
                                              • Instruction ID: 58749b39e7c93128603f059563e16d18f3708b90d7964e0fb3eab78a6b1f20f9
                                              • Opcode Fuzzy Hash: e80c398c1a9d748316018b9e4d2c5ca823133f49effba123dc9742d68a407e96
                                              • Instruction Fuzzy Hash: 8190026170554442E10075D89449A06040647E0245F55D052A2064559DC6358955A131
                                              Function 36092D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6f950c7b9cb2907f5589a87883980d9667490b80e456ea547121ef6e575cec36
                                              • Instruction ID: f2cf2ce8aada1bb74e41080bb651927d6897bfd88a2f33da718c0163f94acba9
                                              • Opcode Fuzzy Hash: 6f950c7b9cb2907f5589a87883980d9667490b80e456ea547121ef6e575cec36
                                              • Instruction Fuzzy Hash: EB90026971350002E18071D8944960A040647E1242F95D456A101551CCC915896D5321
                                              Function 36093D10 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f4bcc37f0058e4fe432e0dd423022d0e70b314b8901a0809130219c3fe97fec0
                                              • Instruction ID: 19ce2ba8b8dd0430f712581cb26a528db321bc0f623b95d94ce1bed57fe3ddeb
                                              • Opcode Fuzzy Hash: f4bcc37f0058e4fe432e0dd423022d0e70b314b8901a0809130219c3fe97fec0
                                              • Instruction Fuzzy Hash: 8290027170250142A54072D89845A4E450647F1342B95D456A1015518CC91489655221
                                              Function 36092D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 350997f81db181b56c2df65316b64027c72441ffe50f8f582523dcb5f6ad1553
                                              • Instruction ID: 0e7c37447aab4c55cc25db1a36f0316cde58f963d3bd63237e33fc86d2b8e6ee
                                              • Opcode Fuzzy Hash: 350997f81db181b56c2df65316b64027c72441ffe50f8f582523dcb5f6ad1553
                                              • Instruction Fuzzy Hash: FE90026170150003E14071D89459606440697F1341F55D052E1414518CD915895A5222
                                              Function 36093D70 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 085f351ceaf6ab2bdd06ca59fc2dcca0f2833467d8bef64f7a083cea10b8c520
                                              • Instruction ID: 294fa7e98874916708a022e1ff38d518a5c665da4e56ab3290343fc925199d98
                                              • Opcode Fuzzy Hash: 085f351ceaf6ab2bdd06ca59fc2dcca0f2833467d8bef64f7a083cea10b8c520
                                              • Instruction Fuzzy Hash: 0A90027570150402E51071D89845646044747E0341F55D452A142451CD865489A5A121
                                              Function 36092DB0 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 35dbd41fb058eeaee0e36931883d891e72807520871dce6c3edfbdc70ebedba3
                                              • Instruction ID: d34ecdf9d20c3957a88abc1a2e40428975857ae4a502f309bc2d9554cea70429
                                              • Opcode Fuzzy Hash: 35dbd41fb058eeaee0e36931883d891e72807520871dce6c3edfbdc70ebedba3
                                              • Instruction Fuzzy Hash: A990027174150402E14171D88445606040A57E0281F95C053A1424518E86558B5AAA61
                                              Function 36092DD0 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f772b418ae135f77e7ddd478f391ed21d408ace9aca99fac4525e90f71ef6d8d
                                              • Instruction ID: 9e1076b072c14c72bcc3417a7fd105d62be24806c856f0f8fd7ab516a8bfa0af
                                              • Opcode Fuzzy Hash: f772b418ae135f77e7ddd478f391ed21d408ace9aca99fac4525e90f71ef6d8d
                                              • Instruction Fuzzy Hash: 69900261742541526545B1D88445507440757F0281795C053A2414914C8526995AD621
                                              Function 36092AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e422597ff44e0a10c6533c49759a31ce28ba5dbfe2f7b872914bb89da81d3b75
                                              • Instruction ID: f04556939dde8dcdd0e1851ea5e16e4be360d0e9c2bed0c682324e3a87bf5795
                                              • Opcode Fuzzy Hash: e422597ff44e0a10c6533c49759a31ce28ba5dbfe2f7b872914bb89da81d3b75
                                              • Instruction Fuzzy Hash: E49002E1701640925500B2D8C445B0A490647F0241B55C057E2054524CC52589559135
                                              Function 36092AD0 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1bc961262e9095fa0a85f1877afba6041632a47306f9d46d50ca7b8d828fb0bf
                                              • Instruction ID: 070c7c22558548229509189ca370993ee68afaf7f346ecdd5020ad768c0c4324
                                              • Opcode Fuzzy Hash: 1bc961262e9095fa0a85f1877afba6041632a47306f9d46d50ca7b8d828fb0bf
                                              • Instruction Fuzzy Hash: 17900475711500031105F5DC4745507044747F53D1355C073F3015514CD731CD755131
                                              Function 36092AF0 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9a839ee73139c152ab5c4081e847d67dbe993327471ea31529fd7652c6b5cdc4
                                              • Instruction ID: 498560c9f22d9fc9828d8f8a416b1be8b2d8ab0d979ac2a3ec4665e8139a4bda
                                              • Opcode Fuzzy Hash: 9a839ee73139c152ab5c4081e847d67dbe993327471ea31529fd7652c6b5cdc4
                                              • Instruction Fuzzy Hash: DA900265721500021145B5D8464550B084657E6391395C056F2416554CC62189695321
                                              Function 36092B60 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4c899f067543b53306dabc73669519004eb86a5f0ec59ad815e853b138071e9a
                                              • Instruction ID: 413ca3085a3d09a9ee29a5e71c87bd3575a4242d670130b67daa3da2db8e207f
                                              • Opcode Fuzzy Hash: 4c899f067543b53306dabc73669519004eb86a5f0ec59ad815e853b138071e9a
                                              • Instruction Fuzzy Hash: CD9002A170250003510571D88455616440B47F0241B55C062E2014554DC52589956125
                                              Function 36092B80 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fa0bc381e1f169d24b86514247d534e79177376df8bde4d8f94fe64afee51ed5
                                              • Instruction ID: d5301707e823945b83b10389122c244f53d3bf8bae341c49c882224b7d3767de
                                              • Opcode Fuzzy Hash: fa0bc381e1f169d24b86514247d534e79177376df8bde4d8f94fe64afee51ed5
                                              • Instruction Fuzzy Hash: 5B90027170150802E10471D88845686040647E0341F55C052A7024619E966589957131
                                              Function 36092BA0 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: df33f8db6b68b74c54e879095154569fe7f2438e85a417f385490d7d4ffaac88
                                              • Instruction ID: 0f4192ed44aa0ac8680d0cc035b94edac3dd00afccc4875abb1885bbd32cfaee
                                              • Opcode Fuzzy Hash: df33f8db6b68b74c54e879095154569fe7f2438e85a417f385490d7d4ffaac88
                                              • Instruction Fuzzy Hash: A7900271B0550802E15071D88455746040647E0341F55C052A1024618D87558B5976A1
                                              Function 36092BE0 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c1b9d1ee52f7bb3798f6d16513714d139f0405410e7da70d3f5dbdb253d984a2
                                              • Instruction ID: 492e94add39e67334f2b39d70fa14221d33bbe26831431e40794cf98bc598912
                                              • Opcode Fuzzy Hash: c1b9d1ee52f7bb3798f6d16513714d139f0405410e7da70d3f5dbdb253d984a2
                                              • Instruction Fuzzy Hash: 5590027170554842E14071D88445A46041647E0345F55C052A1064658D96258E59B661
                                              Function 36092BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 33f7f94ac3c84206dbd6e3883aa793d262b35640787e1a20425b1433041d239e
                                              • Instruction ID: 8c0140b1c581555f5713173f0434ef36a2dec76a67d264cb480dfe8626417e5f
                                              • Opcode Fuzzy Hash: 33f7f94ac3c84206dbd6e3883aa793d262b35640787e1a20425b1433041d239e
                                              • Instruction Fuzzy Hash: 2990027170150802E18071D8844564A040647E1341F95C056A1025618DCA158B5D77A1
                                              Function 360939B0 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7304bc7c095ac6ac3ee43536524bfe0d2b251b029318cb1d99716b2bb37529ba
                                              • Instruction ID: 6670ab4d8e1c25b84100acf233665fd80fa1f185fd7701f3fc6969fedc3b336b
                                              • Opcode Fuzzy Hash: 7304bc7c095ac6ac3ee43536524bfe0d2b251b029318cb1d99716b2bb37529ba
                                              • Instruction Fuzzy Hash: 2F90026174555102E15071DC8445616440667F0241F55C062A1814558D855589596221
                                              Function 36092C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                              • Instruction ID: a01d0e531dc60eb2b36b730ea61b4687068bf1dd2cb9984757691b7bd86ba74f
                                              • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                              • Instruction Fuzzy Hash:
                                              Function 36092890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 814 36092890-360928b3 815 360ca4bc-360ca4c0 814->815 816 360928b9-360928cc 814->816 815->816 817 360ca4c6-360ca4ca 815->817 818 360928dd-360928df 816->818 819 360928ce-360928d7 816->819 817->816 822 360ca4d0-360ca4d4 817->822 821 360928e1-360928e5 818->821 819->818 820 360ca57e-360ca585 819->820 820->818 823 36092988-3609298e 821->823 824 360928eb-360928fa 821->824 822->816 825 360ca4da-360ca4de 822->825 828 36092908-3609290c 823->828 826 360ca58a-360ca58d 824->826 827 36092900-36092905 824->827 825->816 829 360ca4e4-360ca4eb 825->829 826->828 827->828 828->821 830 3609290e-3609291b 828->830 831 360ca4ed-360ca4f4 829->831 832 360ca564-360ca56c 829->832 833 36092921 830->833 834 360ca592-360ca599 830->834 836 360ca50b 831->836 837 360ca4f6-360ca4fe 831->837 832->816 835 360ca572-360ca576 832->835 840 36092924-36092926 833->840 842 360ca5a1-360ca5c9 call 360a0050 834->842 835->816 841 360ca57c call 360a0050 835->841 839 360ca510-360ca536 call 360a0050 836->839 837->816 838 360ca504-360ca509 837->838 838->839 854 360ca55d-360ca55f 839->854 844 36092928-3609292a 840->844 845 36092993-36092995 840->845 841->854 851 3609292c-3609292e 844->851 852 36092946-36092966 call 360a0050 844->852 845->844 849 36092997-360929b1 call 360a0050 845->849 863 36092969-36092974 849->863 851->852 857 36092930-36092944 call 360a0050 851->857 852->863 860 36092981-36092985 854->860 857->852 863->840 865 36092976-36092979 863->865 865->842 866 3609297f 865->866 866->860
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID: ___swprintf_l
                                              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                              • API String ID: 48624451-2108815105
                                              • Opcode ID: 04bbaa313a54efe5881fde61c77006fb807bb2d7f232824cb7c5eda9dddf87be
                                              • Instruction ID: 321d784743a3156301405689850d2749370efd4c65e6a71c04793ca4852c11b1
                                              • Opcode Fuzzy Hash: 04bbaa313a54efe5881fde61c77006fb807bb2d7f232824cb7c5eda9dddf87be
                                              • Instruction Fuzzy Hash: 805106B5E10216AEEB14DFA8CD819BEBFF9BB08244B50C1A9E464D7240D674DE40DBE0
                                              Function 3612A670 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 285timeCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1064 3612a670-3612a6e9 call 36062410 * 2 RtlDebugPrintTimes 1070 3612a89f-3612a8c4 call 360625b0 * 2 call 36094c30 1064->1070 1071 3612a6ef-3612a6fa 1064->1071 1073 3612a724 1071->1073 1074 3612a6fc-3612a709 1071->1074 1078 3612a728-3612a734 1073->1078 1076 3612a70b-3612a70d 1074->1076 1077 3612a70f-3612a715 1074->1077 1076->1077 1080 3612a7f3-3612a7f5 1077->1080 1081 3612a71b-3612a722 1077->1081 1082 3612a741-3612a743 1078->1082 1084 3612a81f-3612a821 1080->1084 1081->1078 1085 3612a736-3612a73c 1082->1085 1086 3612a745-3612a747 1082->1086 1087 3612a827-3612a834 1084->1087 1088 3612a755-3612a77d RtlDebugPrintTimes 1084->1088 1090 3612a73e 1085->1090 1091 3612a74c-3612a750 1085->1091 1086->1084 1092 3612a836-3612a843 1087->1092 1093 3612a85a-3612a866 1087->1093 1088->1070 1100 3612a783-3612a7a0 RtlDebugPrintTimes 1088->1100 1090->1082 1095 3612a86c-3612a86e 1091->1095 1097 3612a845-3612a849 1092->1097 1098 3612a84b-3612a851 1092->1098 1099 3612a87b-3612a87d 1093->1099 1095->1084 1097->1098 1101 3612a857 1098->1101 1102 3612a96b-3612a96d 1098->1102 1103 3612a870-3612a876 1099->1103 1104 3612a87f-3612a881 1099->1104 1100->1070 1112 3612a7a6-3612a7cc RtlDebugPrintTimes 1100->1112 1101->1093 1105 3612a883-3612a889 1102->1105 1106 3612a8c7-3612a8cb 1103->1106 1107 3612a878 1103->1107 1104->1105 1108 3612a8d0-3612a8f4 RtlDebugPrintTimes 1105->1108 1109 3612a88b-3612a89d RtlDebugPrintTimes 1105->1109 1111 3612a99f-3612a9a1 1106->1111 1107->1099 1108->1070 1116 3612a8f6-3612a913 RtlDebugPrintTimes 1108->1116 1109->1070 1112->1070 1117 3612a7d2-3612a7d4 1112->1117 1116->1070 1121 3612a915-3612a944 RtlDebugPrintTimes 1116->1121 1119 3612a7d6-3612a7e3 1117->1119 1120 3612a7f7-3612a80a 1117->1120 1122 3612a7e5-3612a7e9 1119->1122 1123 3612a7eb-3612a7f1 1119->1123 1124 3612a817-3612a819 1120->1124 1121->1070 1130 3612a94a-3612a94c 1121->1130 1122->1123 1123->1080 1123->1120 1125 3612a81b-3612a81d 1124->1125 1126 3612a80c-3612a812 1124->1126 1125->1084 1128 3612a814 1126->1128 1129 3612a868-3612a86a 1126->1129 1128->1124 1129->1095 1131 3612a972-3612a985 1130->1131 1132 3612a94e-3612a95b 1130->1132 1135 3612a992-3612a994 1131->1135 1133 3612a963-3612a969 1132->1133 1134 3612a95d-3612a961 1132->1134 1133->1102 1133->1131 1134->1133 1136 3612a996 1135->1136 1137 3612a987-3612a98d 1135->1137 1136->1104 1138 3612a99b-3612a99d 1137->1138 1139 3612a98f 1137->1139 1138->1111 1139->1135
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID: HEAP:
                                              • API String ID: 3446177414-2466845122
                                              • Opcode ID: 11937fd242780f039c0a45b5317733122440f3b95557e22545aeb6c3c332bb50
                                              • Instruction ID: c9baea4299fc5d842c5cdb45ebc4134be3127007321d86e0a0f34d19fb957e5f
                                              • Opcode Fuzzy Hash: 11937fd242780f039c0a45b5317733122440f3b95557e22545aeb6c3c332bb50
                                              • Instruction Fuzzy Hash: DFA1AC75A043128FEB05CE29C890A1AB7F6FF88754F15496DE945DB310EBB1EC06CB91
                                              Function 36087630 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 194COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1140 36087630-36087651 1141 3608768b-36087699 call 36094c30 1140->1141 1142 36087653-3608766f call 3605e660 1140->1142 1147 360c4638 1142->1147 1148 36087675-36087682 1142->1148 1152 360c463f-360c4645 1147->1152 1149 3608769a-360876a9 call 36087818 1148->1149 1150 36087684 1148->1150 1156 360876ab-360876c1 call 360877cd 1149->1156 1157 36087701-3608770a 1149->1157 1150->1141 1154 360c464b-360c46b8 call 360df290 call 36099020 RtlDebugPrintTimes BaseQueryModuleData 1152->1154 1155 360876c7-360876d0 call 36087728 1152->1155 1154->1155 1174 360c46be-360c46c6 1154->1174 1155->1157 1165 360876d2 1155->1165 1156->1152 1156->1155 1160 360876d8-360876e1 1157->1160 1167 3608770c-3608770e 1160->1167 1168 360876e3-360876f2 call 3608771b 1160->1168 1165->1160 1169 360876f4-360876f6 1167->1169 1168->1169 1172 360876f8-360876fa 1169->1172 1173 36087710-36087719 1169->1173 1172->1150 1176 360876fc 1172->1176 1173->1172 1174->1155 1177 360c46cc-360c46d3 1174->1177 1178 360c47be-360c47d0 call 36092c50 1176->1178 1177->1155 1179 360c46d9-360c46e4 1177->1179 1178->1150 1180 360c47b9 call 36094d48 1179->1180 1181 360c46ea-360c4723 call 360df290 call 3609aaa0 1179->1181 1180->1178 1189 360c473b-360c476b call 360df290 1181->1189 1190 360c4725-360c4736 call 360df290 1181->1190 1189->1155 1195 360c4771-360c477f call 3609a770 1189->1195 1190->1157 1198 360c4786-360c47a3 call 360df290 call 360ccf9e 1195->1198 1199 360c4781-360c4783 1195->1199 1198->1155 1204 360c47a9-360c47b2 1198->1204 1199->1198 1204->1195 1205 360c47b4 1204->1205 1205->1155
                                              Strings
                                              • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 360C4742
                                              • Execute=1, xrefs: 360C4713
                                              • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 360C4725
                                              • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 360C46FC
                                              • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 360C4655
                                              • CLIENT(ntdll): Processing section info %ws..., xrefs: 360C4787
                                              • ExecuteOptions, xrefs: 360C46A0
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                              • API String ID: 0-484625025
                                              • Opcode ID: c47259a3353f80ef06b484e050144df5e4f42a2e9d8ce42294fcafbd7e5d9a2b
                                              • Instruction ID: f25ce503b1badfc8ee80c179ee6408faefd23df6a4036a1e462b8072f5ee36fd
                                              • Opcode Fuzzy Hash: c47259a3353f80ef06b484e050144df5e4f42a2e9d8ce42294fcafbd7e5d9a2b
                                              • Instruction Fuzzy Hash: 40514675A002286AEB11DAA5DD8BFAE3FE8FF08304F5000E9D505AB190EB709A51CF61
                                              Function 3606A250 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 404COMMON
                                              Download Yara Rule
                                              Strings
                                              • RtlpFindActivationContextSection_CheckParameters, xrefs: 360B79D0, 360B79F5
                                              • RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section, xrefs: 360B7AE6
                                              • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 360B79D5
                                              • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 360B79FA
                                              • Actx , xrefs: 360B7A0C, 360B7A73
                                              • SsHd, xrefs: 3606A3E4
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Actx $RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
                                              • API String ID: 0-1988757188
                                              • Opcode ID: a9776e51168f6fc340b1071ea84808457b17aba0e944968c2988707a69286ad7
                                              • Instruction ID: e5190cc94632e1a6c61b2eb7a057e896eeb50aff5ccd83150f725984559eab6f
                                              • Opcode Fuzzy Hash: a9776e51168f6fc340b1071ea84808457b17aba0e944968c2988707a69286ad7
                                              • Instruction Fuzzy Hash: 63E1B374B043118FE710DE2AC88671ABFE1FB8435CF504AADF855AB290DBB1D985CB91
                                              Function 3606D770 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 372timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              • GsHd, xrefs: 3606D874
                                              • RtlpFindActivationContextSection_CheckParameters, xrefs: 360B9341, 360B9366
                                              • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 360B9346
                                              • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 360B936B
                                              • RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section, xrefs: 360B9565
                                              • Actx , xrefs: 360B9508
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID: Actx $GsHd$RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.
                                              • API String ID: 3446177414-2196497285
                                              • Opcode ID: 561d2665390ab801295dc61621530ddda6dad5fa596a0ea921c1bd0d413d0653
                                              • Instruction ID: 9f47e1da1cdae82bbbeed807d5fc1c34b8b3ce9ff9caff5876eab9322b0c7424
                                              • Opcode Fuzzy Hash: 561d2665390ab801295dc61621530ddda6dad5fa596a0ea921c1bd0d413d0653
                                              • Instruction Fuzzy Hash: B7E1D674A043018FEB00CF16C892B5ABFE4FF8935CF5449ADE8A49B291D771D944CB92
                                              Function 360CFD82 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 109timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID: $$Failed to find export %s!%s (Ordinal:%d) in "%wZ" 0x%08lx$LdrpRedirectDelayloadFailure$Unknown$minkernel\ntdll\ldrdload.c
                                              • API String ID: 3446177414-4227709934
                                              • Opcode ID: a33e1d915af7107e003c1d3303b6e29c7f8cb2ec9e138502879b5eea3ffc2cc8
                                              • Instruction ID: 0cd017cf6d162e4480b534773aca4390f94ca3f87dff4c2a2f3aaebaa0d5e737
                                              • Opcode Fuzzy Hash: a33e1d915af7107e003c1d3303b6e29c7f8cb2ec9e138502879b5eea3ffc2cc8
                                              • Instruction Fuzzy Hash: F3419EB9E01208ABDB01DF99C981ADEBFF6FF48354F204199E900AB342D731D911CBA1
                                              Function 360FFD78 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 190timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID: About to free block at %p$About to free block at %p with tag %ws$HEAP: $HEAP[%wZ]: $RtlFreeHeap
                                              • API String ID: 3446177414-3492000579
                                              • Opcode ID: 529ef5ebbd990c9549cc3ebccd24b674b9443fce077bd4c8522cfde97b5f2270
                                              • Instruction ID: 259bad953d555e5db1da9542bbec79564839c60122f129cf0c29c663f865c6a6
                                              • Opcode Fuzzy Hash: 529ef5ebbd990c9549cc3ebccd24b674b9443fce077bd4c8522cfde97b5f2270
                                              • Instruction Fuzzy Hash: A8710E71924644DFDB02CFA8C9426ADFFF2FF4A304F448099E545AB252CB369985CF90
                                              Function 360465B5 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 184timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              • minkernel\ntdll\ldrinit.c, xrefs: 360A9AC5, 360A9B06
                                              • LdrpLoadShimEngine, xrefs: 360A9ABB, 360A9AFC
                                              • Loading the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 360A9AB4
                                              • Initializing the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 360A9AF6
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID: Initializing the shim DLL "%wZ" failed with status 0x%08lx$LdrpLoadShimEngine$Loading the shim DLL "%wZ" failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                              • API String ID: 3446177414-3589223738
                                              • Opcode ID: 8a1b01362ef1648865cc92318169ccd3e79bf689c06b9c1b6da7a4324a5583a5
                                              • Instruction ID: 5b79b68b6d8bdde8db87668e78812277f9ee4d28d145702bf953cc3222746937
                                              • Opcode Fuzzy Hash: 8a1b01362ef1648865cc92318169ccd3e79bf689c06b9c1b6da7a4324a5583a5
                                              • Instruction Fuzzy Hash: 1D513275B203149FDB16EBA8CC56A9D7FF2BB40348F1001A6E640BF295DB709C61CB90
                                              Function 3607DB00 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 133timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlUnlockHeap
                                              • API String ID: 3446177414-3224558752
                                              • Opcode ID: 17dd8c14d8cbabb1f687573add1190f825b3bb9ffc516fe9400964a5d55d8e20
                                              • Instruction ID: d8d2f489acf4d69297cd2a2eb173a9280d7f6f4738a7d4231417795a675c01fa
                                              • Opcode Fuzzy Hash: 17dd8c14d8cbabb1f687573add1190f825b3bb9ffc516fe9400964a5d55d8e20
                                              • Instruction Fuzzy Hash: 25412274A10740DFEB12CBA4C997B5ABFF4EF44364F1080E9D81197290CB78E880CB96
                                              Function 360FF157 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 128timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              • Entry Heap Size , xrefs: 360FF26D
                                              • HEAP: , xrefs: 360FF15D
                                              • ---------------------------------------, xrefs: 360FF279
                                              • Below is a list of potentially leaked heap entries use !heap -i Entry -h Heap for more information, xrefs: 360FF263
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID: ---------------------------------------$Below is a list of potentially leaked heap entries use !heap -i Entry -h Heap for more information$Entry Heap Size $HEAP:
                                              • API String ID: 3446177414-1102453626
                                              • Opcode ID: a60a31c9ef1dd17a60093e421d017561c05befad589fae3104c73c1ba4ec6cbb
                                              • Instruction ID: 358d8f2acf10891796ba2e47968d77466683fe11d1d40c5f852aeb15a8fb6713
                                              • Opcode Fuzzy Hash: a60a31c9ef1dd17a60093e421d017561c05befad589fae3104c73c1ba4ec6cbb
                                              • Instruction Fuzzy Hash: 17416779A20215DFC716DF58C88290ABFF6FF493A572581A9D508AF210DB32EC52DB90
                                              Function 3607DBA0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 84timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlLockHeap
                                              • API String ID: 3446177414-1222099010
                                              • Opcode ID: 56f667403cdd71def78744bbc6ca7d2a4a673300f659a52a7d9ab12bb3265119
                                              • Instruction ID: 9bbb92df85fbe84d13f8d8e7ec163a08e3c213c5a2142745bf0029cb67d78030
                                              • Opcode Fuzzy Hash: 56f667403cdd71def78744bbc6ca7d2a4a673300f659a52a7d9ab12bb3265119
                                              • Instruction Fuzzy Hash: 46310334514780EFE722DBA4C90BB4A7FF8EF01755F0084D5E45157691CBA8E881CB56
                                              Function 3609B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID: __aulldvrm
                                              • String ID: +$-$0$0
                                              • API String ID: 1302938615-699404926
                                              • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                              • Instruction ID: 98ba0ac8878a235a64f303a6b8164a02fa02d0bf1d1d2afc3da632370d7d168b
                                              • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                              • Instruction Fuzzy Hash: C881F178E052099EEB048E69C8927EFBFF3AF44374F544299D860A72B0CB749840EB51
                                              Function 36059126 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID: $$@
                                              • API String ID: 3446177414-1194432280
                                              • Opcode ID: 81c10829c90c57395bf7216a6560abb4b10cd5fca5a11bb8c336523462cb234a
                                              • Instruction ID: b3caa46a8027d712d663072f3b4e6fed6fa7b997567a2247d6450f019c2a4d90
                                              • Opcode Fuzzy Hash: 81c10829c90c57395bf7216a6560abb4b10cd5fca5a11bb8c336523462cb234a
                                              • Instruction Fuzzy Hash: DC815CB5D002699BDB21CB55CD45BEEBBB8AF08754F0081DAEA19B7240D7309E84CFA4
                                              Function 36084D1D Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 117timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 360C362F
                                              • Querying the active activation context failed with status 0x%08lx, xrefs: 360C365C
                                              • LdrpFindDllActivationContext, xrefs: 360C3636, 360C3662
                                              • minkernel\ntdll\ldrsnap.c, xrefs: 360C3640, 360C366C
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                                              • API String ID: 3446177414-3779518884
                                              • Opcode ID: be411d233ec0b047413e5bb54e47afa3098e2e4c8b257ca7f30c9756af5a530f
                                              • Instruction ID: 847954636f3c416ff8d6de1464e9cc3bef22d9740d233861cc1ab8bf54842546
                                              • Opcode Fuzzy Hash: be411d233ec0b047413e5bb54e47afa3098e2e4c8b257ca7f30c9756af5a530f
                                              • Instruction Fuzzy Hash: D8312476D10711AEFB12DB15C88BB196FF4BB01399F5680EAE90467250DB609C80C7F5
                                              Function 3604F910 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 263timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID: (HeapHandle != NULL)$HEAP: $HEAP[%wZ]:
                                              • API String ID: 3446177414-3610490719
                                              • Opcode ID: 6f678523a8d64ca4f49bcce30d004bc29d6f8ffbff5201867057d1e71d211352
                                              • Instruction ID: 4e9bfdbc34945b0fb0a06076723449fb097c7801052b29d476eb89b397cff338
                                              • Opcode Fuzzy Hash: 6f678523a8d64ca4f49bcce30d004bc29d6f8ffbff5201867057d1e71d211352
                                              • Instruction Fuzzy Hash: 9C91F5B1A147519BE326EF25C952B2EBFE5FF80684F0005E9E5449B281DB34A851CFD2
                                              Function 36070BCB Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 210timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              • minkernel\ntdll\ldrinit.c, xrefs: 360BA121
                                              • LdrpCheckModule, xrefs: 360BA117
                                              • Failed to allocated memory for shimmed module list, xrefs: 360BA10F
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                              • API String ID: 3446177414-161242083
                                              • Opcode ID: 93108de1f6d7c477e974c95e986d5631ca3a20c47f9d1e34151a17d1e0e05dfd
                                              • Instruction ID: 37d7e842c62d8a4949f8b2a617054662a83bc872f1ebdce757dc50ea96067cb3
                                              • Opcode Fuzzy Hash: 93108de1f6d7c477e974c95e986d5631ca3a20c47f9d1e34151a17d1e0e05dfd
                                              • Instruction Fuzzy Hash: 5171D3B4E10205DFEB05DF68CE42AAEBFF5EF44304F1445A9D506E7210D634E951CB95
                                              Function 36079803 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 179timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID: LdrpUnloadNode$Unmapping DLL "%wZ"$minkernel\ntdll\ldrsnap.c
                                              • API String ID: 3446177414-2283098728
                                              • Opcode ID: b642571ca8ca4e7c9bb727abd123fe3871bc3c10236a3dff284d7dd3913f8226
                                              • Instruction ID: dd82b777a98743ee2b762018c1d11fdc7780be3bdd2564ded8684872e5f87d06
                                              • Opcode Fuzzy Hash: b642571ca8ca4e7c9bb727abd123fe3871bc3c10236a3dff284d7dd3913f8226
                                              • Instruction Fuzzy Hash: 4B51F171A143029FE715DF29CD82A19BFE1FF84318F1006E9E5D597290DBB4E851CB8A
                                              Function 3608BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                              Download Yara Rule
                                              Strings
                                              • RTL: Re-Waiting, xrefs: 360C7BAC
                                              • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 360C7B7F
                                              • RTL: Resource at %p, xrefs: 360C7B8E
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                              • API String ID: 0-871070163
                                              • Opcode ID: 70e5f382064f82427f275e0f20c2c19a2eef520881c714859adcb4e8c7e7f7e6
                                              • Instruction ID: 44a14a9dcf5aa5a04f4f662798c8a63e8565bea868bffc8925412f670826cc02
                                              • Opcode Fuzzy Hash: 70e5f382064f82427f275e0f20c2c19a2eef520881c714859adcb4e8c7e7f7e6
                                              • Instruction Fuzzy Hash: 5641F279B407029FE710CE25CD42B5ABFE5EF98710F100A9DF8659B281DB31E805CB91
                                              Function 3608B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                              Download Yara Rule
                                              APIs
                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 360C728C
                                              Strings
                                              • RTL: Re-Waiting, xrefs: 360C72C1
                                              • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 360C7294
                                              • RTL: Resource at %p, xrefs: 360C72A3
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                              • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                              • API String ID: 885266447-605551621
                                              • Opcode ID: d5529c593c22fe5c944a920d276a63332577fb25e947b1dfa40bc7f793ceb01e
                                              • Instruction ID: 661cef2f775c82b4d45b21fd2d0f24dcca22fe7a154f440ef65fd37fbb4d3208
                                              • Opcode Fuzzy Hash: d5529c593c22fe5c944a920d276a63332577fb25e947b1dfa40bc7f793ceb01e
                                              • Instruction Fuzzy Hash: 4941EF75A00716ABE710CE26CC43B5ABFE5FB84765F200699F854AB240DB21E846CBD1
                                              Function 360D5F10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID: Wow64 Emulation Layer
                                              • API String ID: 3446177414-921169906
                                              • Opcode ID: 23d0ccce42d015066c093f40de8b5863c433b499131bede459db734ee28a107d
                                              • Instruction ID: f1eb1cfcc0d5cf30edb307f66d06bdcb22867d8aa93fc2250868ae0350379465
                                              • Opcode Fuzzy Hash: 23d0ccce42d015066c093f40de8b5863c433b499131bede459db734ee28a107d
                                              • Instruction Fuzzy Hash: 92214A7690021DBFAF029BA2CD85CBF7F7DEF45299B0004E4FA01A6140EA34DE01DB20
                                              Function 3607EF28 Relevance: 6.3, APIs: 4, Instructions: 347COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5071243e5f1e0bd8f9f93f71e4a15fce5afe4ded861ca4d404e2bb1d60aa27f0
                                              • Instruction ID: aeade704f6b02e582e6043dce21abefe075c1c82b8772c14f9eae5fba1356ac2
                                              • Opcode Fuzzy Hash: 5071243e5f1e0bd8f9f93f71e4a15fce5afe4ded861ca4d404e2bb1d60aa27f0
                                              • Instruction Fuzzy Hash: D4E1F0B4D00718DFEB21CFAAC981A8DBBF1FF48354F2045AAE555A7660D770A881CF58
                                              Function 360CEF50 Relevance: 6.2, APIs: 4, Instructions: 187timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID:
                                              • API String ID: 3446177414-0
                                              • Opcode ID: 8d4e28c7549b60783d7fde84625e8f326e0698519118d3327a09a53078d5d025
                                              • Instruction ID: afbd56e1546bc04de0457816cd03c63bf041bff129b30d89a4eb991976cd70be
                                              • Opcode Fuzzy Hash: 8d4e28c7549b60783d7fde84625e8f326e0698519118d3327a09a53078d5d025
                                              • Instruction Fuzzy Hash: 897134B1E002199FDF01CFA9D982ADDBBB5FF48354F1440AAE905EB258D734A906CB91
                                              Function 3612A4CA Relevance: 6.2, APIs: 4, Instructions: 170timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID:
                                              • API String ID: 3446177414-0
                                              • Opcode ID: b0bf5a70b590fd249f3edcd5d33a52df3a34544002b0255ff932fbbe3a68f250
                                              • Instruction ID: 33301b747d0b5b9bef2551ee0e7181d612e1bbec1ffd44ed7be3d4badf8d62e8
                                              • Opcode Fuzzy Hash: b0bf5a70b590fd249f3edcd5d33a52df3a34544002b0255ff932fbbe3a68f250
                                              • Instruction Fuzzy Hash: 95518C78B10A229FEB08CE19C4E4A1AB7F6FF89354B21446DD906DB710DBB4EC41CB80
                                              Function 360CF1D6 Relevance: 6.2, APIs: 4, Instructions: 150timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID:
                                              • API String ID: 3446177414-0
                                              • Opcode ID: 6147ba7af0c0aa0a46c615359f37806cabd7f55bcd76806bb026bc1160651589
                                              • Instruction ID: 848ae55e203555c588e97b7cfc12a750bafe46294c0dcc0abe74fac97030cc59
                                              • Opcode Fuzzy Hash: 6147ba7af0c0aa0a46c615359f37806cabd7f55bcd76806bb026bc1160651589
                                              • Instruction Fuzzy Hash: 425133B5E00219AFEF04CF9AC842ADCBFB5BF48365F1480AAE901BB254D7349941CF51
                                              Function 36087B2F Relevance: 6.1, APIs: 4, Instructions: 81timethreadCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes$BaseInitThreadThunk
                                              • String ID:
                                              • API String ID: 4281723722-0
                                              • Opcode ID: f4a5872380984a8225de2e9e67a7c06f2cf9423ca5e1746b4f0638b96ba15313
                                              • Instruction ID: 5654965458af61f197d7ecedd893b53bb433989496ff19c65c88f35c9a176f96
                                              • Opcode Fuzzy Hash: f4a5872380984a8225de2e9e67a7c06f2cf9423ca5e1746b4f0638b96ba15313
                                              • Instruction Fuzzy Hash: 57313875E002289FCF05DFA8C885A9DBBF1FF48760F10416AE512BB290DB359901CFA4
                                              Function 360559C0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 494COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: @
                                              • API String ID: 0-2766056989
                                              • Opcode ID: 4f1f546cb59e1e258bc9a4d0661ce4d2bd03acecdf49133f33b98b9e05a0c002
                                              • Instruction ID: a80b988f86b37f62c944dcf93b0d05390e3e5330aebd2372e11175bb81c44f32
                                              • Opcode Fuzzy Hash: 4f1f546cb59e1e258bc9a4d0661ce4d2bd03acecdf49133f33b98b9e05a0c002
                                              • Instruction Fuzzy Hash: 74325870D183699FEB25CFA4C946BDDBFB0BB08304F0181E9D649A7251EB749A84CF91
                                              Function 36097D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID: __aulldvrm
                                              • String ID: +$-
                                              • API String ID: 1302938615-2137968064
                                              • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                              • Instruction ID: 6b21a58476f9c5b400ee52803b261a0777ffb909f1f4af48a09be80929f72045
                                              • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                              • Instruction Fuzzy Hash: 5A91E676E402158FEB14CE66C8966EEBFF3AF44364F60459AE854A72E0E7308940E750
                                              Function 36084C59 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 0$Flst
                                              • API String ID: 0-758220159
                                              • Opcode ID: 9ffa7c446fcb07b6c42daebff982bb58bcb0f547aecba081436bc913635cd065
                                              • Instruction ID: 8e9dd598fc3bc86113a038cbedb32bbb77025659c891bd840a3adcc48bcd3c5b
                                              • Opcode Fuzzy Hash: 9ffa7c446fcb07b6c42daebff982bb58bcb0f547aecba081436bc913635cd065
                                              • Instruction Fuzzy Hash: F351BEB5E207188FEB15CFA5C88565DFFF4EF44398F2580AAD0099F250EB709985CB90
                                              Function 360DCEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                              Download Yara Rule
                                              APIs
                                              • @_EH4_CallFilterFunc@8.LIBCMT ref: 360DCFBD
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID: CallFilterFunc@8
                                              • String ID: @$@4Qw@4Qw
                                              • API String ID: 4062629308-2383119779
                                              • Opcode ID: d8939e40efdb6469319a139397c4308bb2124b043fd66d8118fb67b503544b92
                                              • Instruction ID: 531f60cf33407c36c9d93054a92ad6b8e024f742e03af38aa69378fbd2b091d0
                                              • Opcode Fuzzy Hash: d8939e40efdb6469319a139397c4308bb2124b043fd66d8118fb67b503544b92
                                              • Instruction Fuzzy Hash: 80419FB1900318DFDB228FA6CD41AAEBFF8EF85754F1041AAE915EB250D735C851CBA1
                                              Function 3604DF81 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3193345971.0000000036020000.00000040.00001000.00020000.00000000.sdmp, Offset: 36020000, based on PE: true
                                              • Associated: 00000005.00000002.3193345971.0000000036149000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.000000003614D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000005.00000002.3193345971.00000000361BE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_36020000_Ppto.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID: 0$0
                                              • API String ID: 3446177414-203156872
                                              • Opcode ID: ba9c9db49df7e2120ca46f7c2d8e20ed3855d67f99437bcb107843072e86eecb
                                              • Instruction ID: 01f5f442b8b26e6f0aaeb8d95d3c5d1124905b4f2a6048a09b0f40c6e1f56406
                                              • Opcode Fuzzy Hash: ba9c9db49df7e2120ca46f7c2d8e20ed3855d67f99437bcb107843072e86eecb
                                              • Instruction Fuzzy Hash: B6419BB1A083059FD311CF29C585A0ABBE5FB88318F0049AEF598DB350D731E945CF86